b"September 2006\nReport No. 06-022\n\n\nIndependent Evaluation of the FDIC\xe2\x80\x99s\nInformation Security Program-2006\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                                Report No. 06-022\n                                                                                                 September 2006\n\n\n                                  Independent Evaluation of the FDIC\xe2\x80\x99s Information\n                                  Security Program-2006\n                                  Results of Evaluation\nBackground and\nPurpose of Evaluation             As a result of focused efforts over the last several years, the FDIC has\n                                  made significant progress in improving its information security program\nThe FDIC\xe2\x80\x99s mission is to          and practices. Further, additional improvements were underway at the\ncontribute to the stability and   time of our evaluation. Our work did not identify any significant\npublic confidence in the          deficiencies in the FDIC\xe2\x80\x99s information security program that warrant\nnation\xe2\x80\x99s financial system by      consideration as a potential material weakness as defined by the Office of\ninsuring deposits, examining      Management and Budget. However, as shown in the table below,\nand supervising financial         continued management attention is needed in key security control areas to\ninstitutions, and managing        ensure that appropriate risk-based and cost-effective security controls are\nreceiverships. To achieve its     in place to secure the FDIC\xe2\x80\x99s information resources in furtherance of the\nmission, the FDIC relies on\n                                  Corporation\xe2\x80\x99s security program goals and objectives. Therefore, we\nautomated information systems\nto collect, process, and store    concluded that the FDIC had established and implemented internal controls\nvast amounts of banking and       that provided limited assurance of adequate security for its information\nother sensitive information.      resources. Our report includes a number of steps that the Corporation can\nMuch of this information is       take to strengthen its information security program and practices.\nused by financial regulators,\nacademia, and the public to\nmonitor bank performance,         Office of Inspector General (OIG) Assessment of the FDIC\xe2\x80\x99s\ndevelop regulatory policy, and    Security Program Controls\nconduct research on and\nanalysis of important banking                       Control Families Tested         Control Families Tested That\n                                     Control\nissues. Ensuring the integrity,                       That Demonstrate                Warrant Management\n                                      Class\navailability, and appropriate                            Effectiveness                       Attention\nconfidentiality of this\ninformation in an environment                     \xe2\x80\xa2 Information Security           \xe2\x80\xa2 Enterprise Architecture\n                                   Program\nof increasingly sophisticated                       Governance                     \xe2\x80\xa2 Capital Planning\nsecurity threats and global\nconnectivity requires a strong,                   \xe2\x80\xa2 Risk Assessment                \xe2\x80\xa2 Certification, Accreditation,\n                                   Management\nenterprise-wide information                       \xe2\x80\xa2 Planning                         and Security Assessments\nsecurity program.\n                                                  \xe2\x80\xa2 Contingency Planning           \xe2\x80\xa2 Personnel Security\n                                                  \xe2\x80\xa2 Incident Response              \xe2\x80\xa2 Physical Security and\nThe objective of the evaluation\nwas to determine the                              \xe2\x80\xa2 Awareness and Training           Environmental Protection\neffectiveness of the FDIC\xe2\x80\x99s                                                        \xe2\x80\xa2 Configuration Management\n                                   Operational\ninformation security program                                                       \xe2\x80\xa2 Maintenance\nand practices, including the                                                       \xe2\x80\xa2 System and Information\nFDIC\xe2\x80\x99s compliance with the                                                           Integrity\nFederal Information Security                                                       \xe2\x80\xa2 Media Protection\nManagement Act of 2002\n                                                  \xe2\x80\xa2 Identification and             \xe2\x80\xa2 Access Control\n(FISMA) and related                Technical\ninformation security policies,\n                                                    Authentication                 \xe2\x80\xa2 Audit and Accountability\nprocedures, standards, and        Source: 2006 FDIC OIG Evaluation of the FDIC\xe2\x80\x99s Information Security Program.\nguidelines.\nTo view the full report, go to\nwww.fdicig.gov/2006reports.asp\n\x0c                             TABLE OF CONTENTS\n\n\nBACKGROUND                                                              5\nRESULTS OF EVALUATION                                                  11\nPROGRAM CONTROLS                                                       13\nMANAGEMENT CONTROLS                                                    18\nOPERATIONAL CONTROLS                                                   22\nTECHNICAL CONTROLS                                                     30\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                          34\n\nAPPENDIX II: NIST SP 800-53 CONTROLS TESTED                            42\n\nAPPENDIX III: ACRONYMS                                                 47\n\nAPPENDIX IV: GLOSSARY OF TERMS                                         49\n\n\nTABLES\n\nTable 1:   The FDIC's General Support Systems and Major Applications    7\nTable 2:   OIG Assessment of the FDIC's Security Controls              12\nTable 3:   Security Control Classes and Families                       36\nTable 4:   Information Security Program Assurance Levels               37\n\nFIGURES\n\nFigure 1: Managing Enterprise Risk (The Framework)                      6\nFigure 2: The FDIC's IT Security Governance                             8\n\x0cFederal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington, VA 22226                                                      Office of Inspector General\n\n\n\n\nDATE:                                     September 27, 2006\n\nMEMORANDUM TO:                            Sheila C. Bair, Chairman\n                                          Federal Deposit Insurance Corporation\n\nFROM:                                     Jon T. Rymer\n                                          Inspector General\n\n\nSUBJECT:                                  Independent Evaluation of the FDIC\xe2\x80\x99s\n                                          Information Security Program-2006\n                                          (Report No. 06-022)\n\n\nAs required by the Federal Information Security Management Act of 2002 (FISMA), we\nhave completed an independent evaluation of the FDIC\xe2\x80\x99s information security program\nand practices. FISMA directs federal agencies to have an annual independent evaluation\nperformed of their information security program and practices and to report the results of\nthe evaluation to the Office of Management and Budget (OMB). FISMA states that the\nindependent evaluation is to be performed by the agency Inspector General (IG) or an\nindependent external auditor as determined by the IG. We issued separate audit reports\nto the Chief Information Officer (CIO) and Chief Privacy Officer that contain responses\nto specific sections of the July 17, 2006 OMB memorandum entitled, FY 2006 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement.1 Our responses to the OMB questions, together with this independent\nsecurity evaluation report, satisfy our 2006 FISMA reporting requirements. In addition,\nwe plan to issue a separate report to the CIO that contains more detailed information\nabout the security control deficiencies discussed in this report and make appropriate\nrecommendations, if necessary, at that time.\n\nThe objective of our evaluation was to determine the effectiveness of the FDIC\xe2\x80\x99s\ninformation security program and practices, including the FDIC\xe2\x80\x99s compliance with\nFISMA and related information security policies, procedures, standards, and guidelines.\nDetails regarding the evaluation\xe2\x80\x99s scope and methodology are presented in Appendixes I\nand II, and an acronyms list is provided in Appendix III. A glossary of terms used in this\nreport is provided in Appendix IV.\n\nAs our report details, the FDIC has made significant progress in addressing current and\nemerging security standards and guidelines developed by the National Institute of\nStandards and Technology (NIST). However, continued management attention is\n\n1\n    Responses to Security-Related Questions in OMB\xe2\x80\x99s Fiscal Year 2006 Reporting Instructions for FISMA and\n    Agency Privacy Management, dated September 22, 2006 (Report No. 06-019) and Response to Privacy\n    Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2006 Reporting Instructions for FISMA and Agency\n    Privacy Management, dated September 22, 2006 (Report No. 06-018).\n\x0cwarranted in key security control areas to ensure that appropriate risk-based and cost-\neffective security controls are implemented to secure the FDIC\xe2\x80\x99s information resources.\nOur work did not identify any significant deficiencies in the FDIC\xe2\x80\x99s information security\nprogram that warrant consideration as a potential material weakness as defined by the\nOMB.2\n\nSimilar to our prior-year security evaluations, we identified key steps (listed in priority\norder below) that the Corporation can take to improve the effectiveness of its information\nsecurity program controls. These steps are targeted to address the control areas in which\nthe opportunity to improve performance is the greatest. In many cases, the FDIC was\nalready working to address these steps during our evaluation field work.\n\n    (1) Continue to place priority attention on certifying and accrediting the FDIC\xe2\x80\x99s\n        non-major application systems that process sensitive data.\n\n    (2) Develop a risk-based, enterprise-wide approach for (a) monitoring user access\n        privileges in information systems and (b) generating and reviewing audit logs for\n        the FDIC\xe2\x80\x99s inventory of information systems.\n\n    (3) Ensure that all sensitive data stored on mobile FDIC computing devices is\n        encrypted consistent with OMB\xe2\x80\x99s June 23, 2006 memorandum entitled, Protection\n        of Sensitive Agency Information.\n\n    (4) Complete the FDIC\xe2\x80\x99s information security risk management program methodology\n        by defining procedures for performing (a) continuous monitoring of system security\n        controls after accreditation and (b) contingency planning for systems.\n\n    (5) Define more fully the FDIC\xe2\x80\x99s information security standards and integrate these\n        standards into the Corporation\xe2\x80\x99s enterprise architecture (EA).3\n\n    (6) Enhance the FDIC\xe2\x80\x99s inventory of information systems by: (a) identifying systems\n        used or operated by contractors and other organizations on behalf of the FDIC;\n        (b) including interfaces between each system in the inventory and all other systems\n        and networks, including those not operated by or under the control of the FDIC; and\n\n\n2\n    The OMB defines a significant deficiency as a weakness in an agency\xe2\x80\x99s overall information systems security\n    program or management control structure, or within one or more information systems, that significantly\n    restricts the capability of the agency to carry out its mission or compromises the security of its information,\n    information systems, personnel, or other resources, operations, or assets. In this context, the risk is great\n    enough that the agency head and outside agencies must be notified, and immediate or near-immediate\n    corrective action must be taken. The OMB defines a material weakness as a significant deficiency that the\n    agency head determines to be significant enough to be reported outside the agency (i.e., included in the\n    annual management control report to the President and the Congress).\n3\n    An EA is an agency-wide blueprint that defines, in both business and technological terms, an organization\xe2\x80\x99s\n    current and target operating environments and the organization\xe2\x80\x99s transition between the two. Among other\n    things, the EA defines principles and goals for, and sets direction on, information technology (IT) security.\n    Although the FDIC is not legally required to develop an EA, the FDIC recognizes the value of having an EA\n    and is working to implement an EA.\n\n\n\n                                                         2\n\x0c        (c) leveraging the EA to centrally manage, track, and report risk-management\n        related information, such as system categorization and test and authorization dates.\n\n    (7) Strengthen oversight of contractors with access to sensitive information and\n        systems by (a) ensuring that contractor IT equipment connected to the FDIC\xe2\x80\x99s\n        network are routinely scanned for security vulnerabilities and the results are\n        addressed in a timely manner and (b) ensuring that confidentiality agreements are\n        executed in accordance with FDIC policy.\n\n    (8) Strengthen change-control procedures related to mainframe system software to\n        ensure that system software programs are formally documented and that changes\n        are formally controlled and approved.\n\n    (9) Improve the FDIC\xe2\x80\x99s information security cost management practices in order to\n        facilitate resource and investment decisions.\n\n    As part of its audit of the FDIC\xe2\x80\x99s calendar year 2005 financial statements,4 the\n    Government Accountability Office (GAO) identified a number of information security\n    control weaknesses in the FDIC\xe2\x80\x99s information systems controls that are designed to\n    protect the confidentiality, integrity, and availability of key financial information and\n    information systems. The collective severity of these weaknesses were such that GAO\n    considered them to be a reportable condition5 as of December 31, 2005 because the\n    weaknesses increased the risk of unauthorized modification and disclosure of critical\n    FDIC financial and sensitive personnel information, disruption of critical operations,\n    and loss of assets.\n\n    In its response to GAO\xe2\x80\x99s conclusions, the FDIC acknowledged but did not share the\n    GAO\xe2\x80\x99s assessment of the severity of the risk impact or magnitude of the collective\n    vulnerability posed by the control issues identified by GAO. However, the FDIC\n    indicated that it would work with GAO to reconcile both organizations\xe2\x80\x99 respective\n    views and augment its information security program and practices in those instances\n    where FDIC and GAO determine that changes are appropriate. In August 2006, GAO\n    issued a report to the FDIC\xe2\x80\x99s Board of Directors related to the 2005 Financial\n    Statements.6 GAO recommended that the FDIC Chairman fully implement key\n    elements of its agency-wide information security program. We will consider the\n    FDIC\xe2\x80\x99s actions in response to GAO\xe2\x80\x99s recommendations as part of our next annual\n    FISMA evaluation.\n\n    In view of the collective risk associated with the results of our independent security\n    program assessment and GAO\xe2\x80\x99s financial statement audit, the FDIC should consider\n\n4\n    FINANCIAL AUDIT Federal Deposit Insurance Corporation Funds 2005 and 2004 Financial Statements,\n    dated March 2006 (Report No. GAO-06-146).\n5\n    The reportable condition in information system controls, although not considered material, represents a\n    significant deficiency in the design or operation of internal control that could adversely affect the FDIC\xe2\x80\x99s\n    ability to meet its internal control objectives.\n6\n    INFORMATION SECURITY Federal Deposit Insurance Corporation Needs to Improve Its Program, dated\n    August 2006 (Report No. GAO-06-620).\n\n\n\n                                                         3\n\x0cincluding the information security program as an area of high priority for management\nattention in the annual statement of assurance on internal accounting and administrative\ncontrol required by the Chief Financial Officers Act and Federal Managers Financial\nIntegrity Act (FMFIA). Such treatment will help ensure appropriate senior\nmanagement visibility in order to address information security program risks.\nAppendix I contains additional information about information-security-related laws,\nregulations, and other guidance.\n\nThe FDIC\xe2\x80\x99s Office of Inspector General (OIG) will continue to work with the\nCorporation throughout the coming year to ensure that appropriate risk-based and cost-\neffective information security controls are in place to secure the Corporation\xe2\x80\x99s\ninformation resources and achieve its security goals and objectives.\n\n\n\n\n                                          4\n\x0cBACKGROUND\n\nTitle III of the E-Government Act of 2002, commonly referred to as FISMA, focuses on\nimproving oversight of federal information security programs and facilitating progress in\ncorrecting agency information security weaknesses. FISMA requires federal agencies to\ndevelop, document, and implement an agency-wide information security program that\nprovides security for the information and information systems that support the operations\nand assets of the agency, including those provided or managed by another agency,\ncontractor, or other source. The Act assigns specific responsibilities to agency heads,\nIGs, OMB, and NIST. The FDIC has determined that aspects of FISMA apply to the\nCorporation.\n\nUnder FISMA, agency heads are responsible for providing information security\nprotections commensurate with the risk and magnitude of harm resulting from the\nunauthorized access, use, disclosure, disruption, modification, or destruction of\ninformation and information systems. Agency heads are also responsible for complying\nwith the requirements of FISMA and related policies, procedures, standards, and\nguidelines. FISMA directs federal agencies to report annually to the OMB Director,\nComptroller General, and selected congressional committees on the adequacy and\neffectiveness of agency information security policies, procedures, and practices and\ncompliance with FISMA. In addition, FISMA requires agencies to have an annual\nindependent evaluation performed of their information security programs and practices\nand to report the evaluation results to OMB. FISMA states that the independent\nevaluation is to be performed by the agency IG or an independent external auditor as\ndetermined by the IG. OMB has responsibility for overseeing agency information\nsecurity policies and practices and reporting annually to the Congress on agency\ncompliance with FISMA requirements. OMB\xe2\x80\x99s primary agency security policy is OMB\nCircular No. A-130, Management of Federal Information Resources, Appendix III,\nSecurity of Federal Automated Information Resources (OMB A-130, Appendix III),\ndated November 28, 2000.7\n\nFISMA directs NIST to develop risk-based standards and guidelines to assist agencies in\ndefining minimum security requirements for the non-national security systems used by\nagencies.8 NIST has developed such standards and guidelines as part of its FISMA\nImplementation Project and is developing additional standards and guidelines. NIST\nstandards and guidelines are introducing significant changes in the manner in which\nfederal agencies, including the FDIC, protect their information and information systems.\nFigure 1, on the following page, illustrates the relationship of key NIST security\nstandards and guidelines. Of those NIST security standards and guidelines shown in the\n\n7\n    OMB A-130, Appendix III was last revised on February 8, 1996 and was republished on November 28, 2000.\n    Various provisions of that appendix are legally binding on the FDIC.\n8\n    FISMA authorizes the Secretary of Commerce to make NIST standards compulsory for executive agencies to\n    the extent determined necessary to improve the efficiency and security of federal information systems. The\n    Secretary of Commerce exercises this authority subject to the direction of the President and in coordination\n    with the OMB Director. Whether a NIST publication is legally binding upon the FDIC depends on the\n    nature of the publication and the statutory basis(es) under which the publication was promulgated.\n\n\n\n                                                        5\n\x0cfigure, NIST finalized Federal Information Processing Standards Publication (FIPS\nPUB) 200, Minimum Security Requirements for Federal Information and Information\nSystems, and published drafts of Special Publication (SP) 800-53A, Guide for Assessing\nthe Security Controls in Federal Information Systems; and SP 800-18 Revision 1, Guide\nfor Developing Security Plans for Federal Information Systems, following our 2005\nevaluation.9 Security program officials should consider whether it is prudent for their\nagencies to implement draft NIST standards and guidelines (or portions thereof) before\nthe standards and guidelines become effective.\n\nFigure 1: Managing Enterprise Risk (The Framework)\n                                                                          FIPS PUB 199 / SP 800-60\n                      FIPS PUB 200/SP 800-53                                                                                      SP 800-37\n                                                                         STARTING POINT\n                       Security Control                                       Security                                     Security Control\n                          Selection                                        Categorization                                    Monitoring\n      Selects minimum-security controls (i.e., safeguards and      Defines category of information system     Continuously tracks changes to the information system\n        countermeasures) planned or in place to protect the         according to potential impact of loss      that may affect security controls and assesses control\n                      information system                                                                                           effectiveness\n               SP 800-53 / FIPS PUB 200 / SP 800-30                                                                               SP 800-37\n\n                       Security Control                                                                                         System\n                         Refinement                                                                                          Authorization\n     Uses risk assessment to adjust minimum control set based on                                              Determines risk to agency operations, agency assets, or\n       local conditions, required threat coverage, and specific                                                individuals and, if acceptable, authorizes information\n                         agency requirements                                                                                     system processing\n                                                                                                                     SP 800-53A /SP 800-26/ SP 800-37\n                              SP 800-18\n                                                                                SP 800-70\n\n                       Security Control                                                                                    Security Control\n                        Documentation                                     Security Control                                   Assessment\n                                                                          Implementation\n         In system security plan, provides an overview of the                                                   Determines the extent to which the security controls are\n         security requirements for the information system and        Implements security controls in new or\n                                                                                                                  implemented correctly, operating as intended, and\n          documents the security controls planned or in place       legacy information systems; implements\n                                                                                                                 producing desired outcomes with respect to meeting\n                                                                        security configuration checklists\n                                                                                                                                security requirements\n\n\n\nSource: NIST.\n\nCorporate policies and procedures related to the internal operation of the FDIC that affect\nmore than one FDIC division or office are published through the FDIC Directives\nSystem. In addition to using other corporate-wide policies and procedures, the FDIC\nuses the Directives System to issue information security policy, procedure, and guidance\nof FDIC-wide interest. The FDIC\xe2\x80\x99s Division of Administration (DOA) administers the\nFDIC Directives Management Program, including the review of proposed directives for\nconformance to editorial standards, distribution of final directives, documentation of the\nchange process for directives, and maintenance of current and historical versions of the\ncorporate directives. The FDIC\xe2\x80\x99s Division of Information Technology (DIT) has\nestablished and administers additional internal policies and procedures related to DIT\noperations.\n\n\n\n\n9\n    NIST issues information security standards as FIPS PUBs and information security guidance as Special\n    Publications (SP). Appendix I provides additional information about FIPS PUBs and SPs, including the\n    applicability of these publications to the FDIC.\n\n\n\n                                                                                   6\n\x0cFDIC Systems and Applications\n\nThe FDIC relies extensively on information systems to support its business operations.\nDIT maintains 8 general support systems10 that provide basic processing and\ncommunications support for the 279 business application systems11 in the Corporation\xe2\x80\x99s\napplication inventory. The FDIC\xe2\x80\x99s business applications collect, process, store, and\ndistribute mission-critical information, such as personnel and bank data, in support of the\nCorporation\xe2\x80\x99s three primary program areas (Insurance, Supervision and Consumer\nProtection, and Receivership Management). The FDIC has classified seven of the\nbusiness application systems as major applications.12 Table 1 identifies the FDIC\xe2\x80\x99s\ngeneral support systems and major applications.\n\nTable 1: The FDIC's General Support Systems and Major Applications\n                           Mainframe\n                           Remote Access\n                           Voice/Video\n     General Support       Mid-range Servers\n        Systems            Local Area Network/Wide Area Network (LAN/WAN)\n                           Windows 2000 Servers\n                           Public Key Infrastructure\n                           Personal Systems\n                           New Financial Environment\n                           Legal Integrated Management System\n                           Assessment Information Management System II\n        Major\n      Applications         Risk-Related Premium System\n                           Virtual Supervisory Information on the Net\n                           Receivership Liability System\n                           FDICconnect\nSource: DIT risk management inventory as of August 29, 2006.\n\n\n\n\n10\n   OMB A-130, Appendix III, defines a general support system as an interconnected set of information\n   resources under the same direct management and that shares common functionality. A system normally\n   includes hardware, software, information, applications, communications, and people.\n11\n   According to the Application Systems Baseline Inventory management report as of July 31, 2006. The\n   August 29, 2006 DIT Information Security Staff (ISS) risk management inventory, used for FISMA\n   reporting, identified 165 FDIC information systems\xe2\x80\x94150 systems from the Applications Systems Baseline\n   Inventory, 8 general support systems, and 7 contractor systems not included in the Application Systems\n   Baseline Inventory. According to ISS, the remaining 129 systems of the Application Systems Baseline\n   Inventory were no longer in service, or were tools, utilities, configurations, or other objects that were not\n   application systems and, therefore, were not included in the ISS risk management inventory.\n12\n   OMB A-130, Appendix III, defines a major application as one that requires special attention to security due\n   to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or modification\n   of, the information in the application.\n\n\n\n                                                       7\n\x0cInformation Technology Security Governance\n\nSeveral key components comprise the FDIC\xe2\x80\x99s IT security governance structure. As\nillustrated in Figure 2, these components include the FDIC Chairman and Board of\nDirectors; CIO; Chief Operating Officer (COO); Chief Financial Officer (CFO); and the\nDirectors of DIT, DOA, and other divisions and offices that own information systems.\nThe Chairman and Board of Directors are ultimately responsible for the security of the\nFDIC\xe2\x80\x99s information\nand information            Figure 2: The FDIC's IT Security Governance\nsystems. The CFO\nand CIO co-chair a                                             Chairman and Board of Directors\n\nCapital Investment            Office of Inspector General                                            Chief Information Officer\nReview Committee                                                                                    Chief Information Security Officer\n(CIRC), which\nreviews and monitors\ncapital projects,              Chief Financial Officer              Chief Operating Officer                      General Counsel\n\nincluding IT projects.                                    Director, Division of Supervision & Consumer\n                                                                                                                   Legal Division\nThe CIO has                   Director, Division of\n                                                                            Protection\n                                                          Director, Division of Information Technology\nresponsibility for the               Finance               Director, Division of Insurance & Research\n                                                               Director, Division of Resolutions &\nFDIC\xe2\x80\x99s information                                                         Receiverships\n                                                               Director, Division of Administration\nsecurity program,\nincluding FISMA\ncompliance. The             Source: OIG Analysis of FDIC\xe2\x80\x99s roles and responsibilities.\nCIO also serves as\nthe FDIC\xe2\x80\x99s Chief Privacy Officer and Director, DIT. In addition, a CIO Council,\ncomposed of senior agency managers, advises the CIO on all aspects of IT, including\nsecurity. The COO manages the FDIC\xe2\x80\x99s operating divisions, including DIT and DOA.\nDIT is responsible for providing a secure IT infrastructure and systems. DOA is\nresponsible for providing physical and personnel security for the FDIC. Other division\nand office heads are responsible for ensuring that systems under their ownership or\ncontrol conform to the FDIC\xe2\x80\x99s security requirements. The OIG performs audits and\nevaluations of the FDIC\xe2\x80\x99s information security controls, including the annual\nindependent evaluation of the Corporation\xe2\x80\x99s security program required by FISMA.\n\nThe CIO has assigned primary responsibility for planning, developing, and implementing\nthe FDIC\xe2\x80\x99s information security program and operations to an Associate Director in DIT,\nwho reports directly to the CIO. In addition, the FDIC has established eight Information\nSecurity Managers (ISMs) within its program divisions and offices to ensure a business\nfocus on information security. The responsibilities of ISMs include promoting security\nawareness, providing security management and technical advice on behalf of their\ndivisions and offices, and assessing the level of security needed and in place in FDIC\xe2\x80\x99s\nsystem\xe2\x80\x99s and applications. DIT\xe2\x80\x99s operating and capital investment budget for calendar\nyear 2006 is approximately $191 million, of which approximately $16 million related to\nIT security.\n\nDOA\xe2\x80\x99s Security Management Section is responsible for administering the FDIC's\nphysical and personnel security programs. Physical security includes activities such as\n\n\n                                                                   8\n\x0cbadging employees, contractors, and visitors and protecting employees, visitors, and\nfacilities from internal and external threats such as fire, theft, vandalism, sabotage, and\nterrorist activities. Personnel security includes activities such as performing credit\nchecks, fingerprint checks, and background investigations of FDIC employees and\ncontractors. The Security Management Section is also responsible for managing,\ndirecting, and testing the FDIC\xe2\x80\x99s Emergency Preparedness Program, which includes the\nFDIC\xe2\x80\x99s Emergency Response Plan and the Business Continuity Plan (BCP). DIT and\nDOA coordinate on relevant corporate security matters.\n\nEnvironmental factors also impacted information security at the FDIC during the past\nyear. For example, following our 2005 security evaluation, the FDIC vacated 3 leased\noffice buildings in Washington, D.C., and moved about 750 employees and contractors to\na newly completed expansion of its Arlington, Virginia, facility. In addition, the FDIC\nhas established a new disaster recovery data center to provide the Corporation with a\nmore robust disaster recovery architecture and full control over its disaster recovery\ncapability. These areas presented additional challenges in physical security for the\nFDIC\xe2\x80\x99s information security.\n\nAccording to the June 2006 DIT Monthly Status Report, DIT completed a pilot project, in\nJune 2006, to apply the principles of the Control Objectives for Information and related\nTechnology (COBIT\xc2\xae)13 to the FDIC\xe2\x80\x99s IT processes. As part of the project, DIT\ndeveloped a new, automated risk assessment and process maturity tool that focuses on\nIT-specific processes and control objectives. DIT completed an initial mapping of its\norganization and functions to the COBIT\xc2\xae framework and is now updating management\ncontrol plans to reflect a process orientation to replace its former organizational and\nfunctional orientation. The COBIT\xc2\xae approach recognizes that many IT responsibilities\nare shared across the organization and must be treated in an enterprise-wide manner.\nFurther, DIT is identifying process owners who will be charged with understanding and\nmonitoring the internal controls over an entire process rather than those that fall within\ntheir organizational boundaries.\n\nPrior-Year Security Control Evaluations\n\nIn previous years, based on our analysis of long-standing requirements in security-related\nstatutes, policies, and guidance and consideration of the FDIC\xe2\x80\x99s business and IT\nenvironment, we identified key management control areas associated with the FDIC\xe2\x80\x99s\ninformation security program. For each of the management control areas, we provided an\nassessment in terms of the level of assurance that the management control provided\nadequate security over the FDIC's information resources. Using each of the management\ncontrol assessments as a basis and considering associated risks, we evaluated the\nCorporation\xe2\x80\x99s overall information security program and compared it to previous security\nevaluation results. In this manner, we were able to evaluate the FDIC\xe2\x80\x99s progress in\nstrengthening its information security program and practices.\n\n13\n     COBIT\xc2\xae is an IT governance framework and supporting toolset that allows managers to bridge the gap\n     between control requirements, technical issues, and business risks. COBIT\xc2\xae enables clear policy\n     development and good practice for IT control throughout organizations.\n\n\n\n                                                       9\n\x0cFederal security control requirements and assessment methodologies have changed\ndramatically in recent years in response to new NIST security standards and guidelines.\nAs a result, we modified our prior-year security program assessment methodology to be\nconsistent with the security control framework defined in FIPS PUB 200 for protecting\nthe confidentiality, integrity, and availability of information and information systems.\nAdditionally, NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems, builds upon FIPS PUB 200 by defining a framework comprised of three general\nclasses of security controls (i.e., management, operational, and technical) that collectively\ncontain the 17 security control families identified in FIPS PUB 200.14 We included one\nadditional control class (i.e., program) in our assessment methodology based on our\nresearch of relevant security-related statutes, regulations, policies, and guidelines. Due to\nthe magnitude of the changes in our assessment methodology, we determined that a direct\ncomparison of our current year results to prior year results would not be performed this\nyear. Appendixes I and II provide a detailed description of our new security program\nassessment methodology.\n\n\n\n\n14\n     Federal agencies must meet the minimum security requirements defined in FIPS PUB 200 through the use of\n     the controls in SP 800-53. The applicability of these publications to the FDIC has not been determined.\n\n\n\n                                                      10\n\x0cRESULTS OF EVALUATION\n\nThe FDIC has made significant progress in recent years in addressing the information\nsecurity requirements of FISMA and NIST, and additional security control improvements\nwere underway at the time of our evaluation. This progress is noteworthy given the\nconsiderable increase in security-related requirements. In particular, the FDIC has\ncertified and accredited all but one of its major applications15 and general support\nsystems consistent with NIST security standards and guidelines. Additionally, the FDIC\nhad revised its information security-risk management methodology in June 2006 to\nachieve cost-efficiencies in its certification and accreditation program. Further, the FDIC\nhas established a new organizational structure as part of its IT program transformation,\nconsolidated many of its IT security-related contracts, and implemented a new corporate\nIT disaster recovery capability. These accomplishments are notable; however, continued\nmanagement attention is warranted in a number of key security control areas to ensure\nthat appropriate risk-based and cost-effective security controls are in place.\n\nWe structured the results of our security program assessment according to the security\ncontrol framework defined in FIPS PUB 200 and SP 800-53. We included one additional\ncontrol class (i.e., program) in our results based on our research of relevant security-\nrelated statutes, regulations, policies, and guidelines.\n\nBased on our security program assessment, we concluded that the FDIC\xe2\x80\x99s program,\nmanagement, operational, and technical security controls collectively provided limited\nassurance of adequate security over corporate information resources. However, our work\ndid not identify any significant deficiencies in the FDIC\xe2\x80\x99s information security program\nthat warrant consideration as a potential material weakness as defined by the OMB.16\nTable 2, on the following page, summarizes our assessment results based on the security\ncontrol testing we performed.17\n\n\n\n\n15\n   The CIO provided the FDIC\xe2\x80\x99s New Financial Environment system with an interim authorization to operate\n   while the FDIC addresses security risks identified during the certification and accreditation process.\n   Information systems are not certified and accredited during the interim authorization period.\n16\n   FISMA requires agencies to report any significant deficiency in a policy, procedure, or practice as a material\n   weakness in reporting under the FMFIA. FMFIA requires agencies to evaluate their internal control systems\n   on an annual basis and to report the results of the evaluation, along with any material weaknesses and plans\n   for corrective actions, to the President and the Congress. These requirements were made applicable to the\n   FDIC by the Chief Financial Officers Act of 1990.\n17\n   Our evaluation did not include an assessment of the System and Communications Protection or the Systems\n   and Services Acquisition control families. Appendix II describes the security control testing we performed\n   within each control family.\n\n\n\n                                                       11\n\x0cTable 2: OIG Assessment of the FDIC's Security Controls\n\n   Control          Control Families Tested That              Control Families Tested That\n    Class            Demonstrate Effectiveness               Warrant Management Attention\n\n                \xe2\x80\xa2 Information Security Governance        \xe2\x80\xa2 Enterprise Architecture\n Program\n                                                         \xe2\x80\xa2 Capital Planning\n\n                \xe2\x80\xa2 Risk Assessment                        \xe2\x80\xa2 Certification, Accreditation, and\n Management\n                \xe2\x80\xa2 Planning                                 Security Assessments\n\n                \xe2\x80\xa2 Contingency Planning                   \xe2\x80\xa2 Personnel Security\n                \xe2\x80\xa2 Incident Response                      \xe2\x80\xa2 Physical Security and Environmental\n                \xe2\x80\xa2 Awareness and Training                   Protection\n Operational                                             \xe2\x80\xa2 Configuration Management\n                                                         \xe2\x80\xa2 Maintenance\n                                                         \xe2\x80\xa2 System and Information Integrity\n                                                         \xe2\x80\xa2 Media Protection\n\n                \xe2\x80\xa2 Identification and Authentication      \xe2\x80\xa2 Access Control\n Technical\n                                                         \xe2\x80\xa2 Audit and Accountability\nSource: 2006 OIG Evaluation of the FDIC\xe2\x80\x99s Information Security Program.\n\n\n\n\n                                                 12\n\x0cPROGRAM CONTROLS\n\nProgram controls define an enterprise-wide framework for planning, directing, and\ncontrolling resources to achieve agency security objectives. Based on our analysis of\nrelevant security-related statutes, regulations, policies, standards, and guidelines, we\nidentified three program control families to include in our FISMA evaluation this year:\nInformation Security Governance, Enterprise Architecture, and Capital Planning. In\nsummary, the controls we tested in the area of Information Security Governance were\neffective. However, the controls we tested related to Enterprise Architecture and Capital\nPlanning warranted management attention.\n\nInformation Security Governance\n\nInformation security governance involves the implementation of an enterprise-wide\ncontrol structure that provides management with reasonable assurance that its security\ngoals and objectives are being achieved. Governance consists of enterprise-wide security\nprogram policies and procedures that define key roles and responsibilities and monitoring\nto assess whether security controls are achieving intended results. FISMA defines\nspecific responsibilities and authorities for agency heads,18 senior agency officials, and\nCIOs. Among those responsibilities are requirements for the CIO to develop and\nmaintain an information security program and report annually to the agency head on the\neffectiveness of the program and progress of remedial actions.\n\nThe FDIC has appointed a permanent CIO with corporate accountability and authority for\ninformation security, a senior agency information security officer who reports directly to\nthe CIO, and a CIO Council composed of senior agency managers who advise the CIO on\nall aspects of IT. The FDIC has established a number of policies, procedures, and\nguidelines that generally define the security roles and responsibilities of corporate\nofficials and contractor personnel. In addition, DIT published a new Information Security\nStrategic Plan, and the CIO made periodic presentations to senior agency officials,\nincluding the FDIC Audit Committee, on corporate information security initiatives and\nefforts to remediate information security weaknesses.\n\nFollowing our 2005 security evaluation, DIT also began implementing a COBIT\xc2\xae-based\ninternal control review program and included six security-related metrics in its divisional\nperformance reports. Such control improvements are important for ensuring that\ncorporate security goals and objectives are attained. To further enhance its information\nsecurity governance, the FDIC should consider additional measures. Specifically, the\nFDIC can promote greater corporate awareness of security roles and responsibilities by\nformally coordinating through DOA on security-related policies, procedures, and\nmemoranda issued by divisions, offices, and corporate committees. We noted that some\n\n\n18\n     For the purposes of our evaluation, we consider the FDIC\xe2\x80\x99s Chairman to be the head of the Corporation.\n     Nevertheless, the FDIC\xe2\x80\x99s Board of Directors, by statute, has overall responsibility for managing the\n     Corporation. The Board consists of five members: the Chairman, Vice Chairman, Director, Director of\n     the Office of Thrift Supervision, and Comptroller of the Currency.\n\n\n                                                      13\n\x0cinternal DIT security policies and procedures posted on its internal Web site defined\nsecurity roles and responsibilities of personnel in other FDIC divisions and offices.\n\nWhile the FDIC has components of a sound information security governance structure in\nplace, such as the CIRC and CIO Council, the Corporation could also benefit from clearly\narticulating overall information security governance roles, responsibilities, and\nrelationships, including those of senior agency management. Draft SP 800-100, dated\nJune 2006, entitled, Information Security Handbook: A Guide for Managers, suggests\nthat agencies should integrate their information security governance activities with the\noverall agency structure and activities by ensuring appropriate participation of agency\nofficials in overseeing implementation of information security controls throughout the\nagency. Further, new and evolving security requirements and recent highly publicized\ndata security breaches involving federal agencies underscore the importance of senior\nmanagement oversight of security. Industry research also suggests that a powerful\napproach to achieving effective integration of enterprise security risk management is\nimplementing a business-focused \xe2\x80\x9ccouncil\xe2\x80\x9d of senior organization leaders to provide\ngovernance of security program activities.\n\nEnterprise Architecture\n\nAn EA defines, in business and technological terms, an organization\xe2\x80\x99s current and target\noperating environments, including its IT security architecture. Effectively representing\nsecurity information in an EA ensures that security is adequately incorporated into\nagency system life-cycle processes, as required by FISMA. In addition, FISMA requires\nagencies to develop and maintain an inventory of major information systems, which is a\nfundamental component of an agency EA.\n\nThe FDIC has taken a number of important steps toward full implementation of a\ncorporate-wide EA. Of particular note, the FDIC has established an EA policy and EA\ngovernance structure, adopted a system development life-cycle (SDLC) methodology,19\nand developed an EA repository to store, classify, and organize its EA data (including\nsecurity data). Additionally, the FDIC hired a Deputy Director, Enterprise Technology\nBranch, in May 2006 and a Chief Enterprise Architect in July 2006 to further its EA\nprogram.\n\nWhile these steps are positive, more work remains to fully define the FDIC\xe2\x80\x99s IT security\narchitecture and use this information as part of an applied EA. DIT officials indicated\nthat they were working to update two key EA components (the FDIC Technical\nReference Model20 and Security Standards Profile21) and integrate them into the EA\nrepository. Once completed, DIT will need to define procedures for the development,\n\n19\n   The FDIC\xe2\x80\x99s Rational Unification Process (RUP\xc2\xae) SDLC methodology includes FDIC-specific security\n   requirements applicable to each phase of the development of an IT project.\n20\n   The Technical Reference Model identifies and describes, among other things, the security services used\n   throughout the agency.\n21\n   The Security Standards Profile identifies the security standards specific to the security services (such as\n   access control and authentication) specified in the agency\xe2\x80\x99s EA.\n\n\n\n                                                         14\n\x0cmaintenance, and use of its EA repository. Such procedures will provide assurance that\ninformation systems are consistent with an approved security architecture.22 The FDIC\nshould leverage its existing EA repository to centrally manage, track, and report risk-\nmanagement-related information, such as security categorizations and test and\nauthorization dates. Further, the FDIC needed to update its inventory of information\nsystems to identify contractor systems and systems\xe2\x80\x99 interfaces with all other systems or\nnetworks, including those not operated by or under the control of FDIC, as required by\nFISMA. Once fully implemented, the EA repository is expected to provide an\nautomated, comprehensive, accurate, and dynamic system inventory and baseline of the\nFDIC\xe2\x80\x99s approved IT security architecture.\n\nOn June 1, 2006, the Federal CIO Council published The Federal Enterprise Architecture\nSecurity and Privacy Profile, version 2.0. This profile can provide the FDIC with\nvaluable guidance on incorporating security into the FDIC\xe2\x80\x99s EA.\n\nCapital Planning\n\nOMB Circular A-130 defines the capital planning and investment control process as the\nongoing process for identifying, selecting, controlling, and evaluating IT investments.23\nThe circular states that investments in new or existing information systems must\ndemonstrate that the cost of security controls are understood and explicitly incorporated\ninto the life-cycle planning of the overall system. The circular also states that the costs of\nsystem security controls must be commensurate with the risk and magnitude of harm that\ncould result from the loss, misuse, unauthorized access to, or modification of the\ninformation stored or flowing through the system. In addition, the OMB has issued\npolicy and guidance requiring agencies to (1) integrate security into the life cycle of their\nsystems development, modernization, and enhancement efforts and (2) ensure steady-\nstate operations meet existing security requirements before new funds are spent on\nsystems development, modernization, or enhancements.24 FISMA states that agency\nheads are responsible for ensuring that information security management processes are\nintegrated with agency strategic and operational planning.\n\nThe FDIC established and implemented a number of key controls for integrating security\ninto the life-cycle planning and management of its capital IT investments. Specifically,\nthe FDIC has an Information Technology Strategic Plan, which includes a key goal\nrelated to information security, and published an Information Security Strategic Plan in\n2006 to help ensure that security is integrated into the FDIC\xe2\x80\x99s strategic and operational\nplanning. Also, the FDIC has developed a formal CPIM program to plan and manage its\n\n22\n   Recent GAO and OIG audits identified internal control weaknesses relating to security policies and standards\n   that had not been adequately incorporated into the design of FDIC information systems.\n23\n   The FDIC is voluntarily implementing (i.e., is not required by statute) a capital planning and investment\n   control process, referred to as the capital planning and investment management (CPIM) process.\n24\n   Such OMB policy and guidance includes, but is not limited to, Circular No. A-11, Preparation, Submission,\n   and Execution of the Budget, and Memoranda M-00-07, Incorporating and Funding Security in Information\n   Systems Investments; and M-06-19, Reporting Incidents Involving Personally Identifiable Information and\n   Incorporating the Cost for Security in Agency Information Technology Investments.\n\n\n\n                                                      15\n\x0ccapital IT investments; established corporate committees25 to evaluate whether\ninformation and physical security is adequately addressed in proposed capital IT\ninvestments; and established a series of accounting codes in its accounting system to\nidentify and track certain security-related costs. These accomplishments are notable;\nhowever, more work is needed to ensure that security is fully integrated into the life-cycle\nmanagement of the FDIC\xe2\x80\x99s IT investments.\n\nAt the time of our evaluation, the FDIC was working to define procedures in its RUP\xc2\xae\nsystems development methodology and related guidance for project-level reporting and\ninteraction with the FDIC Enterprise Architecture Board.26 Such procedures will provide\nassurance that security controls being considered for capital investment projects are\nadequately evaluated for consistency with the FDIC\xe2\x80\x99s security architecture. Regarding\nsecurity costs, the FDIC estimates and tracks certain security costs, such as the costs of\nperforming security testing and evaluation (ST&E) (i.e., security assessments), associated\nwith its capital IT investments27 as part of its CPIM process. However, as we have\nreported in our prior-year security evaluation reports, the FDIC\xe2\x80\x99s budget formulation\nprocess differs from the processes followed by other agencies that are bound by the\nfederal appropriations process. The FDIC devotes less attention to security program cost\nmanagement than required at appropriated agencies. For example, the FDIC generally\ndoes not, and is not required to:\n\n     \xe2\x80\xa2   Identify and track security program costs consistent with OMB Circular A-11,\n         Preparation, Submission, and Execution of the Budget; and SP 800-65,\n         Integrating IT Security Into the Capital Planning and Investment Control\n         Process.\n     \xe2\x80\xa2   Estimate the resources required to remediate individual security weaknesses on\n         Plans of Action and Milestones (POA&Ms) as described in OMB\xe2\x80\x99s FISMA\n         reporting instructions.\n     \xe2\x80\xa2   Allocate security program costs to its major IT investments.28\n\nWe plan to work with the Corporation in the coming year to explore measures that the\nFDIC can take to strengthen its security cost management practices. Such measures may\n\n\n\n25\n   The CIRC and the CIO Council have responsibilities for reviewing, recommending, and monitoring\n   corporate IT investments.\n26\n   The Board is responsible for recommending cost-effective and efficient corporate solutions by evaluating the\n   degree to which proposed projects align with the target EA.\n27\n   The FDIC generally defines capital investments as projects that have a total investment budget of $3 million\n   or more and other projects deemed to have significant corporate impact. The FDIC prepares a business case\n   containing an aggregate security cost estimate for each capital investment. However, the security cost\n   estimates are used for informational purposes only and are not determined through an analysis of historical\n   costs. At the close of our evaluation, the FDIC was managing three capital investment projects.\n28\n   NIST SP 800-65 defines a major IT investment as, among other things, a system or investment that requires\n   special management attention because of its importance to an agency\xe2\x80\x99s mission or is an integral part of the\n   agency\xe2\x80\x99s EA. The financial justification for one such project at the FDIC, the Deposit Insurance Reform\n   project, did not identify how much of the $9.6 million cost estimate related to information security.\n\n\n\n                                                      16\n\x0cinclude, for example, the development of written guidance to ensure that IT security costs\nare consistently identified, tracked, and reported at both the IT project and corporate\nlevels.\n\n\n\n\n                                            17\n\x0cMANAGEMENT CONTROLS\n\nManagement controls are the safeguards or countermeasures related to an information\nsystem that focus on the management of risk and system security. SP 800-53 divides\nmanagement controls into four control families: Risk Assessment; Planning; System and\nServices Acquisition; and Certification, Accreditation, and Security Assessments. In\nsummary, we found that the controls we assessed in the areas of Risk Assessment and\nPlanning are effective. However, the controls assessed in the area of Certification,\nAccreditation, and Security Assessments warrant management attention. Due to our\nlimited testing of System and Services Acquisition controls, we did not assess this control\nfamily as part of our current-year work.\n\nRisk Assessment\n\nRisk is the probability of an adverse event occurring. Risk assessment involves the\nimplementation of policies, procedures, and practices for categorizing information and\nsystems, performing and updating system risk assessments, and performing regular\nsystem vulnerability scanning. Under FISMA, agencies are responsible for providing\nsecurity protections commensurate with the risk and magnitude of harm resulting from\nthe unauthorized access, use, disclosure, disruption, modification, or destruction of\ninformation and information systems.\n\nThe FDIC developed and implemented risk assessment policies and procedures for\nFDIC-owned and operated systems that were generally consistent with NIST security\nstandards and guidelines. Regarding its LAN/WAN system, the FDIC was scanning\nLAN/WAN equipment for security vulnerabilities on a regular basis and taking\nappropriate remedial actions. In addition, our independent testing of a sample of\nLAN/WAN routers and switches found that their security configurations were generally\nconsistent with defined security baseline configurations.\n\nFollowing our 2005 security evaluation, DIT developed procedures for performing\nmonthly vulnerability scans of contractor-owned computers connected to the FDIC\xe2\x80\x99s\nnetwork. We noted that DIT performed monthly vulnerability scans of such contractor-\nowned computers through March 2006 but that the scans had not been performed in April\nor May 2006. In addition, some, but not all, contractor-owned computers connected to\nthe network were scanned in June and July 2006. We spoke with DIT officials about this\nmatter and learned that contractor-owned computers were not scanned during the\nreferenced periods due to a technical error. The FDIC is heavily dependent on\ncontractors to provide IT development and support activities and has recently sought to\nphysically locate contractor staff in FDIC facilities to reduce costs and security risks.\nThe FDIC can achieve greater security assurance by ensuring that all contractor-owned\ncomputers connected to the network are identified and scanned for vulnerabilities on a\nmonthly basis as described in DIT\xe2\x80\x99s IT security self-assessment procedures.\n\n\n\n\n                                             18\n\x0cPlanning\n\nPlanning involves the implementation of policies, procedures, and practices for\ndeveloping system security plans. Security plans provide an overview of system security\nrequirements and describe the security controls in place or planned for meeting those\nrequirements. Planning also involves establishing rules that describe user responsibilities\nand expected behavior related to system usage, as well as conducting system privacy\nimpact assessments (PIA).29\n\nThe FDIC\xe2\x80\x99s security planning policies and procedures were generally consistent with\nNIST security standards and guidelines. However, guidance for preparing system\nsecurity plans should be enhanced to require that security plans describe how common\nsecurity controls30 are considered in the security certification and accreditation (C&A)\nprocess described later in this report. ST&E of common security controls are performed\nseparately from ST&E of application and general support system security controls.\nTherefore, enhancing guidance for preparing system security plans would provide greater\nassurance that all relevant risks are considered when accrediting an application or system\nand promote efficiency because common controls are assessed in separate ST&Es.\nRegarding PIAs, the FDIC has developed procedures for performing PIAs of its systems\ncontaining information in an identifiable form.31 As reported in our Audit Report\nNo. 06-018, the FDIC had completed PIAs on 43 of the 46 information systems it\nidentified as containing information in an identifiable form. PIAs for the remaining\nsystems, as well as efforts to identify additional systems, were planned or underway at\nthe close of our audit.\n\nSystem and Services Acquisition\n\nSystem and services acquisition involves allocating resources to protect information\nsystems, implementing an SDLC methodology that addresses security, and including\nsecurity requirements and/or specifications in systems acquisitions. System and services\nacquisition also involves developing systems documentation, enforcing software usage\nrestrictions, and ensuring proper security engineering principles, configuration\nmanagement, and testing in applications systems development projects.\n\n\n\n29\n   PIAs are required under the E-Government Act of 2002 as implemented by OMB\xe2\x80\x99s September 26, 2003\n   memorandum (M-03-22) entitled, OMB Guidance for Implementing the Privacy Provision of the\n   E-Government Act of 2002. PIAs must address the type of information being collected from individuals;\n   why the information is being collected; the intended use of the information; with whom the information will\n   be shared; which notice or opportunities for consent would be provided to individuals regarding the\n   information that is collected and how the information is shared; how the information will be secured; and\n   whether a system of records is being created under the Privacy Act.\n30\n   Common security controls can be applied to one or more information systems.\n31\n   OMB defines \xe2\x80\x9cinformation in an identifiable form\xe2\x80\x9d as information in a system or on-line collection that\n   directly identifies an individual (e.g., name, address, Social Security number or other identifying code,\n   telephone number, e-mail address, etc.) or by which an agency intends to identify specific individuals in\n   conjunction with other data elements.\n\n\n\n                                                      19\n\x0cAlthough we performed limited work in the area of system and services acquisition for\nthis evaluation, we noted that the FDIC had established policies and procedures in key\nsystem and services acquisition areas. However, the FDIC needed to update Circular\n1320.3, Systems Development Life Cycle (SDLC) Version 3.0, dated July 17, 1997, to be\nconsistent with the FDIC\xe2\x80\x99s Rational Unified Process (RUP\xc2\xae) SDLC methodology\nestablished in 2004.32 RUP\xc2\xae is a key control for ensuring that security is integrated into\nthe life-cycle management of the FDIC\xe2\x80\x99s information systems.\n\nCertification, Accreditation, and Security Assessments\n\nThe C&A of federal information systems is critical to securing the government\xe2\x80\x99s\noperations and assets. Certification involves the evaluation of an information system\xe2\x80\x99s\nmanagement, operational, and technical security controls. Accreditation involves a\nsenior agency official\xe2\x80\x99s authorization of an information system to operate, including\nacceptance of any residual risk associated with operating the system. ST&E is performed\nin support of C&A. OMB requires agencies to certify and accredit their information\nsystems in accordance with federal security policies, standards, and guidelines. In\naddition, the OMB has placed a high priority on fully certifying and accrediting federal\ninformation systems.\n\nIn our-prior year security evaluation, we reported that the FDIC had established C&A\nprogram controls that were generally consistent with NIST security standards and\nguidelines but that improvements in some areas were needed. In February 2006, we\nissued a separate audit report recognizing the significant strides that the FDIC had made\nin developing its C&A program in response to emerging NIST requirements.33 Our\nreport also identified opportunities for the FDIC to further strengthen its C&A policies,\nprocedures, and guidelines. In June 2006, DIT revised its risk management methodology\nto achieve cost-efficiencies in its C&A processes and ensure alignment with\nNIST-recommended security standards and guidelines. At the close of our evaluation,\nDIT was working to complete revisions to its IT security risk management methodology,\nincluding the development of procedures for performing (a) continuous monitoring of\nsystems after accreditation and (b) contingency planning of its information systems.\nSuch procedures are critical to ensuring risk-based and cost-effective security oversight\nof the FDIC\xe2\x80\x99s information systems.\n\nIn our prior-year security evaluation, we reported that the FDIC had fully certified and\naccredited one system and granted Interim Authorizations to Operate (IATO) for four\nadditional systems. At the close of our current year evaluation, the FDIC had fully\ncertified and accredited 14 of its 15 major applications and general support systems\nconsistent with NIST security standards and guidelines. Such an accomplishment is\nnotable. Nevertheless, more work remains to ensure that the remaining 152 FDIC\ninformation systems subject to C&A, some of which process sensitive agency\ninformation, are certified and accredited.\n\n32\n   RUP\xc2\xae is a vendor-provided methodology that helps ensure security is considered and implemented\n   throughout the SDLC, which includes multiple check points for security testing.\n33\n   The FDIC\xe2\x80\x99s Security Certification and Accreditation Program, dated February 2006 (Report No. 06-007).\n\n\n\n                                                    20\n\x0cAdditionally, DIT needed to modify its POA&M procedures to ensure that all relevant IT\nsecurity deficiencies are incorporated into or accompany system-level POA&Ms,\nincluding deficiencies identified in GAO, OIG, and any other security reviews. Current\nC&A guidelines provide that only ST&E weaknesses34 are recorded and tracked in\nsystem-level POA&Ms.35 Our analysis of the LAN/WAN and mainframe POA&Ms\nconfirmed that DIT had not included in system-level POA&Ms those deficiencies\nreported by the GAO. Such deficiencies are tracked separately in the FDIC\xe2\x80\x99s Internal\nRisks Information System. Our assessment of the LAN/WAN and mainframe POA&Ms\nfound that ST&E weaknesses were being properly tracked through remediation.\nHowever, the inclusion or accompaniment of GAO or OIG findings within the\nsystem-level POA&M process would benefit the system owners as issues are aggregated,\ntracked centrally, and reviewed monthly as part of the FDIC\xe2\x80\x99s existing C&A procedures.\n\n\n\n\n34\n   An ST&E weakness is a system deficiency identified during a security assessment of the system security\n   controls.\n35\n   OMB\xe2\x80\x99s October 17, 2001 memorandum (M-02-01) entitled, Guidance for Preparing and Submitting Security\n   Plans of Action and Milestones, (and subsequent guidance) states that POA&Ms should reflect consolidation\n   with, or be accompanied by, other agency plans to correct security weaknesses found during any review done\n   by, for, or on behalf of the agency. Such reviews include GAO audits, financial system audits, FISMA\n   reviews, and critical infrastructure vulnerability assessments. The applicability of OMB\xe2\x80\x99s POA&M-related\n   memoranda, including M-02-01, is under consideration by the FDIC.\n\n\n\n                                                     21\n\x0cOPERATIONAL CONTROLS\n\nOperational controls are the safeguards and countermeasures for an information system\nthat are primarily implemented and executed by individuals (as opposed to information\nsystems). Operational controls include nine control families: Personnel Security,\nPhysical and Environmental Protection, Contingency Planning, Configuration\nManagement, Maintenance, System and Information Integrity, Media Protection, Incident\nResponse, and Awareness and Training. In summary, we found the controls that we\ntested in the areas of Contingency Planning, Incident Response, and Awareness and\nTraining were effective. However, the controls we tested related to Personnel Security,\nPhysical Security and Environmental Protection, Configuration Management,\nMaintenance, System and Information Integrity, and Media Protection warrant\nmanagement attention.\n\nPersonnel Security\n\nPersonnel security involves the implementation of policies, procedures, and practices for\nassigning risk designations to positions, screening individuals for those positions, and\nensuring that systems access is terminated when personnel leave an agency or are\ntransferred. Personnel security also involves ensuring that appropriate access agreements\nsuch as nondisclosure and conflict of interest agreements are in place for employees and\ncontractors and implementing a formal sanctions process for personnel that fail to comply\nwith security policies and procedures.\n\nThe FDIC has established personnel-related policies and procedures for its employees\nand contractors that were generally adequate. As part of our evaluation, we judgmentally\nselected 30 current FDIC employees and verified that their background investigations\nwere commensurate with their positions\xe2\x80\x99 risk designations reflected in the FDIC\xe2\x80\x99s\nCorporate Human Resources Information System. In addition, we judgmentally selected\n15 recently-separated FDIC employees and verified that a completed Pre-Exit Clearance\nRecord for Employees was on file for all 15 former employees.36 In addition, DOA was\nworking to address two open recommendations related to personnel security that were\ncontained in a prior OIG audit report.37\n\nA key area of risk related to personnel security involves contractor confidentiality\nagreements. The FDIC\xe2\x80\x99s Acquisition Policy Manual (APM) requires contractors and\nsubcontractors to complete a Contractor Confidentiality Agreement when such\nemployees have access to confidential information, work on-site at the FDIC, or have\n\n36\n   FDIC Circular 2150.1, Pre-Exit Clearance Procedures for FDIC Employees, defines procedures for\n   safeguarding FDIC-owned property and interests when employees leave the Corporation. A key component\n   of these procedures is Form 2150/01, Pre-Exit Clearance Record for Employees, which contains a checklist\n   of items that must be completed as part of the employee\xe2\x80\x99s pre-exit clearance process.\n37\n   In our March 30, 2004 Audit Report No. 04-016 entitled, FDIC\xe2\x80\x99s Personnel Security Program, we\n   recommended, among other things, that the FDIC (a) review employees in moderate-risk level positions to\n   ensure that appropriate background investigations have been performed and (b) re-assess low-risk-level\n   employee positions having access to sensitive data in major applications to ensure that background\n   investigations are completed for these employees commensurate with their access privileges.\n\n\n\n                                                     22\n\x0caccess to FDIC systems. Confidentiality agreements are intended to provide the FDIC\nadded assurance that contractors will properly safeguard confidential information in their\ncustody. We judgmentally selected 30 current contractor employees who we determined\nwould require a confidentiality agreement and found that the agreements for 10 such\nemployees either had not been completed or could not be located. Additionally, we\nreported weaknesses related to contractor and subcontractor confidentiality agreements in\nour August 2006 Audit Report No. 06-016 entitled, Controls Over the Disposal of\nSensitive FDIC Information by Iron Mountain, Inc. The FDIC needed to strengthen\ncontrols over contractor confidentiality agreements to ensure the requirement to protect\nsensitive information is fully understood by cognizant parties and to promote\naccountability.\n\nPhysical Security and Environmental Protection\n\nPhysical and environmental protection relates to those security measures aimed at\nsafeguarding information systems, facilities, and related supporting infrastructures from\nthreats. Such security measures include, but are not limited to, physical access controls,\nemergency power and lighting, fire protection, and temperature and humidity controls.\nSuch measures also include procedures for the delivery and removal of systems\nhardware, firmware, and software to and from facilities.\n\nThe FDIC has established corporate-wide physical security program policies and\nprocedures. However, we identified several physical security control weaknesses during\nour evaluation. In most cases, DOA either had addressed or was taking action to address\nthese weaknesses.\n\nOn July 11, 2006, we conducted a walkthrough of the FDIC\xe2\x80\x99s Virginia Square facility\nand identified a significant amount of documented sensitive information stored in\nunsecured filing cabinets located in common areas. For example, we found\ndocumentation containing information in an identifiable format (i.e., employee names\nand Social Security numbers), attorney-client privileged information, investigation\nresults, and a sensitive discussion of recent litigation. During our audit, we advised DIT\nof the need to secure this information. A DIT official stated that DIT was taking prompt\ncorrective action. Our walkthrough also identified six unsecured mechanical rooms\nhousing the building\xe2\x80\x99s heating, ventilation, and air conditioning systems; water supply;\nand electrical equipment. A DOA official indicated that card readers had originally been\nplanned for the entrances to the mechanical rooms and that installing locks now (as an\ninterim measure) would make installing the card readers more difficult. Prior to the close\nof our field work, DOA had secured all six mechanical rooms.\n\nOn July 18, 2006, we performed a site visit of the FDIC\xe2\x80\x99s new disaster recovery data\ncenter and noted areas where access to facilities could be better controlled. A DOA\nofficial indicated that DOA was aware of the issues and that improvements were planned.\nWith regard to physical access to the FDIC\xe2\x80\x99s Virginia Square Data Center, DOA was\ngenerating reports of employee and contractor access to the center and providing the\nreports to DIT for review and analysis. However, a DIT official indicated that the data\ncenter access reports are reviewed on an ad hoc basis. The FDIC needs to establish a\n\n\n                                             23\n\x0cprocedure for regularly reviewing these reports for potential security incidents consistent\nwith NIST-recommended security practices.\n\nIn addition, we were unable to determine whether selected employees and contractors\nwith access to the FDIC\xe2\x80\x99s Washington, D.C., area facilities had appropriate access\nauthorizations because access authorization documentation was not readily available. We\njudgmentally sampled 30 current employees and contractors and attempted to verify\nwhether FDIC Form 1620/01, Employee/Contractor Identification Card Request, had\nbeen completed and approved.38 A DOA official provided us with access forms for 7 of\nthe 30 employees and contractors but indicated that locating the remaining authorizations\nwould require time and research. At the close of our evaluation, we had not been\nprovided with access forms for the remaining 23 employees and contractors.\n\nWe noted that the FDIC had implemented and regularly tested environmental controls\nwithin the Virginia Square Data Center that are vital to ensuring the availability of critical\nhardware and software. Such controls include cooling systems to maintain appropriate\ntemperature levels, fire detection and suppression to provide life-saving services,\nuninterrupted power to maintain a clean power supply, and diesel generators to provide\nbackup power.\n\nContingency Planning\n\nEffective contingency planning and testing is essential to mitigate the risk of system and\nservice unavailability. Contingency planning involves developing and implementing\nsystem contingency plans that address roles, responsibilities, and activities associated\nwith restoring a system after a disruption or failure. Such planning also involves training\npersonnel, testing systems, performing system backups, and establishing alternative\nprocessing sites.\n\nThe FDIC has established a corporate contingency planning program policy39 and a\nbusiness recovery plan template that are consistent with NIST guidelines. In addition, the\nFDIC has updated its business impact analysis (BIA) to validate its current IT recovery\npriorities. Further, the mainframe and LAN/WAN recovery plans were generally\nconsistent with NIST security guidelines; however, we did note some minor\ndiscrepancies.40 In early March 2006, the FDIC consolidated its IT disaster recovery\noperations at a new location. Later that same month, the FDIC conducted an IT disaster\n\n38\n   FDIC Circular 1610.1, FDIC Physical Security Program, states that administrative officers are responsible\n   for approving form FDIC 1620/01 for all new employees, interns, detailees, and others who require an FDIC\n   identification badge. Once completed and approved, the form is forwarded to DOA Corporate Services\n   Branch.\n39\n   Circular 1360.13, DIRM\xe2\x80\x99s [Division of Information Resources Management] Contingency Planning\n   Program Policy, dated November 22, 2004. DIT formerly operated under the title of DIRM.\n40\n   The FDIC did not incorporate the BIA into the overall business continuity documentation for reference\n   purposes in the event of plan activation as recommended by NIST SP 800-34, Contingency Planning Guide\n   for Information Technology Systems. In addition, the mainframe recovery plan did not address\n   NIST-recommended security controls related to training, exercise and testing schedules, and plan\n   maintenance.\n\n\n\n                                                     24\n\x0crecovery test of its mission-critical applications and general support systems. The FDIC\nhas developed plans to address the issues it identified during the March 2006 test and\nconducted a limited disaster recovery test in June 2006 to determine whether certain\nissues had been adequately addressed. We plan to conduct a more detailed analysis of the\nFDIC\xe2\x80\x99s IT disaster recovery capability in a future audit assignment.\n\nConfiguration Management\n\nKey to ensuring the confidentiality, integrity, and availability of any information system\nis implementing structured processes for managing the inevitable changes that will occur\nduring the system\xe2\x80\x99s life cycle. Such processes, collectively referred to as configuration\nmanagement, include evaluating, authorizing, testing, tracking, reporting, and verifying\nboth hardware- and software-related changes.\n\nThe FDIC has documented guidelines for ensuring the proper configuration of its routers\nand switches and has performed monthly vulnerability scans of this equipment to ensure\nthat security weaknesses have been identified, analyzed, corrected, and documented. In\naddition, routers and switches that we selected for review were configured consistent\nwith the FDIC\xe2\x80\x99s documented baseline configurations. In July 2006, the FDIC\nsignificantly improved the configuration management of its corporate firewalls by\nimplementing a formal change management tool.41 Prior to July 2006, firewall rule set\nchanges were handled through e-mail and did not require formal approvals.\nImplementing the change management tool was a notable improvement, but the corporate\nfirewalls do not have documented baseline configurations. The baseline configuration\ncoupled with a change control process ensure that the current configuration for hardware\nand software is accurate. Such accuracy is critical for decision making regarding the\nneed to implement security patches or functionality upgrades. Once these firewall\nconfigurations are established, the FDIC should use an automated tool to analyze the\nconfiguration of its firewalls, such as the tool used for analyzing the configuration of the\nFDIC\xe2\x80\x99s routers and switches.\n\nWith regard to the mainframe, we identified a powerful program that could have allowed\nany mainframe programmer to bypass all security controls for the system. We considered\nthis vulnerability to be serious in nature and brought it to DIT\xe2\x80\x99s attention, and the\nprogram was promptly removed from the system. The FDIC needs to take additional\nmeasures to ensure that powerful programs on the mainframe are strictly controlled.\nSuch measures could include maintaining a current and complete listing of such\nprograms, tracking changes to such programs, and periodically reviewing the integrity of\nsuch programs.\n\nAlthough the FDIC uses the CA-Endeavor\xc2\xae automated configuration management tool42\nto process mainframe application software changes, the FDIC does not use a\n\n41\n   The FDIC implemented Remedy to track requests through system life-cycle stages (i.e., request, approval,\n   implementation, and closure).\n42\n   CA-Endeavor\xc2\xae is a software product providing automated support for change, configuration, or version\n   control.\n\n\n\n                                                      25\n\x0cconfiguration management tool to process mainframe system software43 changes. The\nFDIC handles mainframe system software changes (including in-house-developed source\ncode) manually. Change management tools provide added assurance that software is\nproperly controlled and that changes are properly recorded, tracked, approved, and\nreported. For example, CA-Endeavor\xc2\xae interfaces with the mainframe\xe2\x80\x99s access control\nsoftware to secure source code and object code libraries on the mainframe from\nunauthorized changes. Updates to source code libraries require system and application\nprogrammers to \xe2\x80\x9ccheck-in\xe2\x80\x9d their code, request approval, and migrate software changes to\nproduction system libraries.\n\nMaintenance\n\nMaintenance involves scheduling, performing, and documenting preventative and regular\nmaintenance on the components of information systems in accordance with manufacturer\nor vendor specifications and/or organization requirements. Maintenance also involves\napproving, controlling, and monitoring maintenance tools and activities.\n\nThe FDIC has established policies and procedures for maintaining its information system\ncomponents. The FDIC maintains current operating system software for its routers,\nswitches, and firewalls and has established full-service contracts with vendors and\nvendor-certified partners to support its LAN/WAN. In addition, the FDIC maintains\nvendor-supported operating system software on the mainframe. However, the vendor has\nannounced plans to discontinue its support of the current operating system software on\nthe FDIC\xe2\x80\x99s mainframe, beginning in March 2007. Accordingly, the FDIC must\ndetermine whether to upgrade the mainframe\xe2\x80\x99s operating system software or use it\nwithout vendor support. In addition, the FDIC is in the process of acquiring a new\nnetwork intrusion detection system (IDS) solution because vendor support for its current\nIDS solution has been discontinued. The risk of loss of vendor support to critical\nsoftware must be carefully considered in updating the FDIC\xe2\x80\x99s EA and proceeding with\ntechnical solutions.\n\nSystem and Information Integrity\n\nSystem and information integrity controls include security controls for identifying,\nreporting, and correcting information system flaws. Such flaws can be discovered\nthrough the agency\xe2\x80\x99s system security assessments, continuous monitoring, or software\nvendors that recommend the implementation of software patches, service packs, or\nhotfixes to their software. System and information integrity control also involves the\ndeployment of virus protection and intrusion detection mechanisms to protect the\nagency\xe2\x80\x99s IT operations and the implementation of controls for ensuring the accuracy,\ncompleteness, and validity of information.\n\nThe FDIC established policies and procedures designed to ensure the integrity of its\nsystems and information. The FDIC has deployed anti-virus and IDS technologies to\n\n43\n     Examples of system software for the mainframe include Multiple Virtual Storage, Virtual\n     Telecommunications Access Method, and Job Entry Subsystems.\n\n\n\n                                                        26\n\x0cprotect its network operations. In addition, the FDIC has established performance\nmeasures to monitor the deployment of its software patches against pre-established\ntimeframes. With regard to the mainframe, we noted that system security software was\nnot configured to verify the identity of on-line programs to prevent spoofing\xe2\x80\x94concealing\na program with malicious intent by imitating a legitimate program. Spoofing a program\ncould allow a programmer to gain another user\xe2\x80\x99s identification (ID) and password.\n\nIn its September 2006 report entitled, Responses to Security-Related Questions in OMB\xe2\x80\x99s\nFiscal Year 2006 Reporting Instructions for FISMA and Agency Privacy Management,\nKPMG LLP (KPMG)44 noted that the FDIC had generally implemented timely security\npatches for its UNIX\xc2\xae Solaris\xe2\x84\xa2 server and Microsoft for Windows\xc2\xae server and desktop\noperating systems. However, DIT was working to address a problem it had identified\nrelating to the Windows\xc2\xae automated patch delivery tool. Specifically, at the end of our\nfieldwork, about 150 desktops and servers (combined) on the network had not been\nproperly configured to automatically receive and install software patches. Additionally,\nwe identified six Windows servers for which several required patches had not been\ninstalled. We brought these servers to DIT\xe2\x80\x99s attention. Subsequently, a DIT official\nadvised us that DIT had retired two of the six servers and installed patches on the\nremaining four. We plan to report the effectiveness of the corrective actions in our\nseparate report to the CIO.\n\nMedia Protection\n\nMedia protection involves those security controls related to controlling access to hard-\ncopy and electronic media, labeling media consistent with its sensitivity, and ensuring\nmedia storage is secured. Media protection also involves safeguarding the transportation\nof media and ensuring that appropriate controls are in place when sanitizing and\ndisposing of media.\n\nThe FDIC has established corporate policies and procedures for managing and disposing\nof sensitive records created or acquired in the course of conducting business.45\nAdditionally, the FDIC was working to develop a corporate policy describing rules for\nstoring, using, and disposing of sensitive FDIC data throughout its life cycle in response\nto OMB Memoranda M-06-16, Protection of Sensitive Agency Information, dated\nJune 23, 2006; and M-06-19, Reporting Incidents Involving Personally Identifiable\nInformation and Incorporating the Cost for Security in Agency Information Technology\nInvestments, dated July 12, 2006. Issuance of this policy is key to providing security for\nsensitive agency information. DIT plans to address the labeling of sensitive data in the\nnew policy. In Audit Report No. 06-016, we reported that the FDIC had established key\ncontrols for ensuring the secure disposal of sensitive information by its records\nmanagement contractor. However, the FDIC needed to improve its oversight of the\nrecords management contractor to ensure that the controls for safeguarding the disposal\nof sensitive information had been effectively implemented.\n\n44\n     KPMG, under contract to the FDIC OIG, performed the audit work for this report.\n45\n     FDIC Circulars 1210.18, FDIC Records Management Program; 1210.1, FDIC Records Retention and\n     Disposal Schedule; and 1210.4, Records Disposition.\n\n\n\n                                                   27\n\x0cIncident Response\n\nFISMA requires that agency information security programs include procedures for\ndetecting, reporting, and responding to security incidents. Implementing an effective\nincident response capability involves consideration of many factors, including training\nand detection, analysis, containment, eradication, reporting, and recovery from security\nincidents.\n\nAs indicated in our 2005 security evaluation report, the FDIC has continued to maintain a\ncomputer security incident response capability consistent with SP 800-61, Computer\nSecurity Incident Handling Guide. The FDIC has provided regular training to its\nComputer Security Incident Response Team members and has prepared procedure\nmanuals containing detailed guidance for the prevention, detection, analysis, response,\nrecovery, and reporting of security incidents.\n\nAwareness and Training\n\nFISMA requires federal agencies to provide security awareness training to users of\nagency information systems and requires agency CIOs to ensure proper oversight and\ntraining of personnel with significant information security responsibilities. In addition,\nfederal regulations require agencies to develop a security awareness and training plan,\nidentify employees with significant security responsibilities, and provide role-specific\ntraining in accordance with NIST standards and guidance.46\n\nThe FDIC has continued its prior-year practices of requiring (1) network users to\ncomplete an annual security awareness orientation,47 (2) major application users to\ncomplete application-specific security awareness training, and (3) general support system\ntechnicians and managers to complete system-specific security training. Further, DIT has\ndeveloped a formal training plan to ensure its staff with significant information security\nresponsibilities receive appropriate security training for the type of work they perform.\nWhile these actions were positive, the FDIC needed to strengthen its procedures for\nensuring that new network users complete required security awareness training on a\ntimely basis. We randomly selected 45 network user accounts that had been created in\n2006 for new FDIC employees and contractors. We found that 13 users (28 percent) had\nnot completed the awareness orientation within the 5-day period defined in Circular\n1360.16. We spoke with a DIT official about these users and learned that there can be\n\n46\n   The FDIC has determined that 5 Code of Federal Regulations Part 930, Subpart C, Information Security\n   Responsibilities for Employees Who Manage or Use Federal Information Systems, applies to the\n   Corporation.\n47\n   Circular 1360.16, Mandatory Information Security Awareness Training, requires users of the FDIC\xe2\x80\x99s\n   network to complete an annual Web-based information security awareness orientation. The circular states\n   that new employees shall log on and review the FDIC Information Security Awareness Web site and\n   orientation as soon as their network access is granted. Failure to do so within 5 working days of receiving a\n   network ID may result in revoking employee and contractor access to FDIC systems and applications. The\n   orientation includes information about laws, regulations, and policies related to computer security; rules of\n   behavior for systems and major applications; tips on effective security; and links to additional sources of\n   information.\n\n\n\n                                                        28\n\x0clegitimate reasons why a new network user may not take the awareness training within\nthe 5-day period.48 However, the DIT official acknowledged that improved procedures\nare needed to assist division and office ISMs in ensuring that new network users\ncomplete the security awareness training in a timely manner.\n\n\n\n\n48\n     For example, a user may not log into the network within 5 days of the creation of the user\xe2\x80\x99s account.\n\n\n\n                                                          29\n\x0cTECHNICAL CONTROLS\n\nTechnical controls are the safeguards or countermeasures for an information system that\nare primarily implemented and executed by the system through mechanisms contained in\nthe hardware, software, or firmware components of the system. SP 800-53 separates\ntechnical controls into four control families: Identification and Authentication, Access\nControl, Audit and Accountability, and System and Communications Protection. In\nsummary, we found that the controls we tested in the area of Identification and\nAuthentication are effective. However, the controls tested in the areas of Access Control\nand Audit and Accountability warrant management attention. Due to our limited testing\nof System and Communications Protection controls, we did not assess this control family\nas part of our current-year work.\n\nIdentification and Authentication\n\nIdentification and authentication are security measures designed to prevent unauthorized\nindividuals or processes from accessing information systems and data. FIPS PUB 201,\nPersonal Identity Verification of Federal Employees and Contractors, and associated\npublications establish standards and requirements for the identity verification of federal\nemployees and contractors and for personal identity verification (PIV) credentials to be\nissued.49 OMB has directed agencies to deploy products and operational systems to issue\nidentity credentials meeting the FIPS PUB 201 standard by October 27, 2006. Individual\nidentities can be authenticated using various means, such as passwords, card tokens,\nbiometrics, or some combination thereof. Devices can be identified and authenticated\nusing shared known information, such as a Media Access Control address and an\norganization authentication solution (i.e., IEEE 802.1x and Extensible Authentication\nProtocol).\n\nGenerally, the FDIC implemented adequate policies, procedures, and practices for\nidentifying and authenticating users of its LAN/WAN and mainframe. These controls\nincluded processes for systems access requests by users, management approval of\nsystems access requests, and periodic re-authorizations of systems access privileges.\nWith regard to the FDIC\xe2\x80\x99s efforts to implement a PIV system for its employees and\ncontractors, the FDIC has contracted with a firm to obtain consulting and technical\nassistance. Due to uncertainties regarding how a PIV solution will be implemented, the\nFDIC had not yet developed a project plan or determined when it will have NIST-\ncompliant processes for verifying the identity of its employees and contractors and\nissuing PIV identity credentials. We plan to evaluate the FDIC\xe2\x80\x99s efforts to address these\nprocesses as part of our 2007 FISMA evaluation work.\n\n\n\n\n49\n     NIST released FIPS PUB 201 in response to Homeland Security Presidential Directive 12 (HSPD-12), Policy\n     for a Common Identification Standard for Federal Employees and Contractors, on August 27, 2004.\n     HSPD-12 requires the development and agency implementation of a mandatory, government-wide standard\n     for secure and reliable forms of identification. The FDIC is not required to implement HSPD-12; however,\n     the FDIC has decided to voluntarily comply with HSDP-12.\n\n\n\n                                                       30\n\x0cAccess Control\n\nInformation system access controls (i.e., logical access controls) provide assurance that\nsystem resources can be accessed only by authorized users in authorized ways. Logical\naccess controls provide a technical means of controlling the information users can read\nand copy, the programs they can execute, and the modifications they can make. Logical\naccess controls also promote a key security principle known as \xe2\x80\x9cleast privilege.\xe2\x80\x9d50\n\nThe FDIC has established various policies and procedures that describe corporate-wide\nroles and responsibilities for managing access to its information systems and data.51 In\naddition, DIT has identified improvements in the FDIC\xe2\x80\x99s access control program as one\nof its top priorities for 2006. At the time of our evaluation, DIT was performing an\ninternal assessment of the FDIC\xe2\x80\x99s processes for granting user access to corporate\ninformation systems.\n\nThe FDIC has established and implemented a number of procedures for controlling\naccess to its mainframe and LAN/WAN systems. However, improvements in some areas\nwere needed. Regarding the LAN/WAN, we noted that access requests and approvals for\nrouters and switches are handled through e-mail rather than through a centralized tool\nsuch as the FDIC\xe2\x80\x99s Access Authorization Security Application. The FDIC can enhance\nits LAN/WAN access control practices by using an automated tool. Regarding the\nmainframe, we identified two potential access control-related vulnerabilities as\nsummarized below.\n\n     \xe2\x80\xa2   An important mainframe security feature that prevents users from recovering\n         deleted data sets was not enabled. Enabling this security feature would prevent\n         users from recovering sensitive datasets that they may not be authorized to view.\n         DIT officials indicated that they would evaluate the feasibility of implementing\n         the security as part of a planned mainframe upgrade.\n\n     \xe2\x80\xa2   Access restrictions designed to prevent a knowledgeable user from accessing\n         powerful system software programs for unauthorized purposes, such as elevating\n         their security privileges to access, modify, or delete program code, datasets, or\n         other resources on the mainframe, were not consistent with mainframe security\n         operating procedures. DIT officials indicated that they would review powerful\n         system software programs to determine whether additional access restrictions\n         should be implemented.\n\n\n\n\n50\n   Least privilege refers to the security objective of restricting user access to only those IT resources needed to\n   perform official duties. Applying the principle of least privilege can mitigate damage to system resources\n   resulting from accidents, errors, or unauthorized use.\n51\n   Such policies and procedures include, but are not limited to, Circular 1360.15, Access Control for Automated\n   Information Systems, dated September 24, 2003; Circular 1370.1, Periodic Review of Mainframe Resource\n   Access, dated July 17, 1995; the FDIC\xe2\x80\x99s Access Control Procedures and Guidelines, dated December 2002;\n   and Information Security Manager\xe2\x80\x99s (ISM) Guide, dated August 2005.\n\n\n\n                                                        31\n\x0cIn addition, we noted that the FDIC had not always restricted access to computer\nresources on the network consistent with the principle of least privilege. In March 2006,\nwe reported that access to critical security software on the FDIC\xe2\x80\x99s laptop computers had\nnot been appropriately restricted.52 During our current-year FISMA evaluation work, we\nidentified two contractor-maintained computers on the network that had not been\nrestricted to prevent network users from accessing their operating system files or\ninformation stored on their hard drives, such as confidential bank data. Additionally, 1 of\n10 network servers that we judgmentally selected for testing as part of our current year\nFISMA work had not been configured to prohibit users from controlling critical services.\nSpecifically, any FDIC network user had the ability to start or stop critical services on the\nserver, including e-mail services, antivirus software, and event logging. Although this\nvulnerable server appears to have been an isolated event, the issues discussed here\ncollectively underscore the importance of conducting periodic reviews of network\nresources for least privilege.\n\nWe also found that the FDIC had established a corporate policy requiring its divisions\nand offices to monitor user access privileges for their information systems. However, the\nFDIC needs to develop an enterprise-wide approach for monitoring user access privileges\ncommensurate with the sensitivity of the FDIC\xe2\x80\x99s information systems and data. Such an\napproach would help ensure that monitoring practices are commensurate with system\nsensitivity.\n\nRegarding the encryption of sensitive information, OMB Memorandum M-06-16\nrecommends that departments and agencies encrypt all data on their mobile\ncomputers/devices that carry agency data unless the data is determined to be non-\nsensitive. The FDIC has implemented two separate software solutions for encrypting\ndata on mobile laptop computers and removable media (including compact disks and\nflash drives). However, these solutions require manual intervention by users to encrypt\nsensitive data and files, limiting management\xe2\x80\x99s assurance that sensitive information is\nconsistently encrypted on mobile computing devices. To address this limitation, the\nFDIC is currently pilot testing a new encryption solution that will secure all information\nin a manner transparent to users. The FDIC plans to deploy the new encryption solution\nbased on the results of its pilot testing (currently scheduled for completion in November\n2006).\n\nAudit and Accountability\n\nAudit trails, together with appropriate tools and procedures, promote key security-related\nobjectives, such as detecting security violations, promoting individual accountability, and\nreconstructing auditable events. Audit and accountability involve generating audit\nrecords at a sufficient level of detail to establish the events that took place, sources of the\nevents, and outcomes of the events. Audit and accountability also involve consideration\nof audit trail storage, processing, monitoring, analysis, reporting, protection, and\nretention.\n\n52\n     OIG Audit Report No. 06-012 entitled, Security Controls Over the FDIC\xe2\x80\x99s Wireless Data Communications,\n     dated March 2006.\n\n\n\n                                                      32\n\x0cAlthough FDIC policy requires system developers to incorporate audit and accountability\nmeasures into new and existing information systems, the policy does not address audit\nlogging and monitoring responsibilities for system owners.53 In addition, the FDIC\xe2\x80\x99s\nRUP\xc2\xae SDLC methodology does not require system owners to define audit logging and\nmonitoring requirements. Further, the FDIC has not developed procedures and\nguidelines to assist system owners in determining the circumstances under which system\naudit logs should be created, information that should be logged, and the methods\navailable for logging and monitoring. Such procedural improvements are needed to\nensure that the FDIC\xe2\x80\x99s practices for generating and monitoring audit logs are\ncommensurate with the sensitivity levels of the systems and the data they processed.\n\nRegarding the LAN/WAN, audit log information was centrally recorded and stored. DIT\nstaff told us that they periodically review LAN/WAN audit logs. However, DIT had not\ndocumented procedures describing which audit log activities are reviewed, how often\nthey are reviewed, or who reviews them or the types of actions that can be taken when\npotential security incidents are identified. Regarding the mainframe, the FDIC was\ntaking action to log and monitor user access activities to ensure such activities were\nconsistent with security policies and procedures. However, we identified five mainframe\nusers with special privileges who were responsible for reviewing audit logs of their own\nactivities. This approach did not provide for the appropriate separation of duties. We\nbrought this weakness to DIT\xe2\x80\x99s attention during the evaluation, and prompt corrective\naction was taken.\n\nBased on the results of our evaluation work in the areas of access control and audit and\naccountability, we concluded that management attention is warranted to ensure that\nappropriate risk-based security controls are in place and operating as intended.\n\nSystem and Communications Protection\n\nSystem and communications protection addresses a number of key security control\nmeasures including, but not limited to, ensuring that system functionality is appropriately\nsegregated; communications are monitored, controlled, and protected; and that\ncryptographic operations (if used) are adequate.\n\nWe did not perform specific audit procedures related to system and communications\nprotection because the majority of controls in this family pertain to general support\nsystems not covered under our current-year evaluation. Such general support systems\ninclude the Voice/Video, Public Key Infrastructure, and Remote Access systems. We\nplan to evaluate system and communications protection security controls in future\nFISMA evaluations.\n\n\n\n\n53\n     Circular 1360.15, Access Control for Automated Information Systems.\n\n\n\n                                                       33\n\x0c                                                                             APPENDIX I\n\n\n                   OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our review was to evaluate the effectiveness of the FDIC\xe2\x80\x99s information\nsecurity program and practices, including the FDIC\xe2\x80\x99s compliance with FISMA and\nrelated information security policies, procedures, standards, and guidelines. The scope of\nour work included a review of the FDIC\xe2\x80\x99s common controls and certain NIST SP 800-53\ncontrol families of the LAN/WAN and mainframe general support systems, as well as the\nFDIC\xe2\x80\x99s progress in meeting HSPD-12 provisions.\n\nTo accomplish our objective, we interviewed key DIT and program office personnel who\nhad significant information security responsibilities. Also, we evaluated the FDIC\xe2\x80\x99s\nsecurity-related policies, procedures, and guidelines and certain security-related\ndocuments and files, including C&A documentation, vulnerability assessments, IT\nservices contracts, training records, and strategic and annual performance plans. We\ntested the FDIC common controls and the LAN/WAN and mainframe in order to\ndetermine the FDIC\xe2\x80\x99s compliance with its policies and procedures and federal guidelines.\nAppendix II lists the SP 800-53 controls included in the scope of our review.\n\nWe engaged KPMG to perform our assessment of the FDIC\xe2\x80\x99s common controls and\nLAN/WAN and mainframe system security controls. Our oversight of KPMG included\nevaluating the nature, timing, and extent of work described in KPMG\xe2\x80\x99s evaluation\nprogram, attending key meetings with KPMG, monitoring KPMG\xe2\x80\x99s work throughout the\nevaluation, and performing other procedures we deemed appropriate. In this manner, we\nassured ourselves that KPMG's work complied with generally accepted government\nauditing standards (GAGAS).\n\nIn the performance of our FISMA work, we leveraged security-related audit, review, and\nevaluation reports issued by the GAO and others, including the FDIC\xe2\x80\x99s OIG. To assure\nourselves that we could leverage pertinent information contained in these reports, we\nperformed appropriate procedures, such as obtaining an understanding of the\nmethodologies, assumptions, and conclusions described therein.\n\nIn addition, our evaluation did not assess controls at depository institutions insured and\nregulated by the FDIC that routinely provide financial information to the Corporation.\nWe performed our evaluation at the FDIC's Headquarters office and primary computer\nfacility in Arlington, Virginia, and the new disaster recovery site during the period April\nthrough August 2006. Throughout our evaluation, we met with FDIC management to\ndiscuss our preliminary conclusions. We conducted our evaluation in accordance with\nGAGAS.\n\nInternal Control\n\nAn explanation of the terms \xe2\x80\x9cinternal control,\xe2\x80\x9d \xe2\x80\x9creasonable assurance,\xe2\x80\x9d and \xe2\x80\x9cadequate\nsecurity\xe2\x80\x9d is important to ensure a proper understanding of our approach and conclusions.\n\n\n\n\n                                             34\n\x0c                                                                                              APPENDIX I\n\nOMB Circular No. A-123 (OMB A-123), Management\xe2\x80\x99s Responsibility for Internal\nControl,54 states:\n\n         Internal Control\xe2\x80\x94organization, policies, and procedures\xe2\x80\x94are tools to\n         help program and financial managers achieve results and safeguard the\n         integrity of their programs.\n\nAdditionally, OMB A-123 states that reasonable assurance must be provided by internal\ncontrol. The circular states:\n\n         Internal control is an integral component of an organization\xe2\x80\x99s management\n         that provides reasonable assurance that the following objectives are being\n         achieved: effectiveness and efficiency of operations, reliability of\n         financial reporting, and compliance with applicable laws and regulations.\n\nOMB A-130, Appendix III,55 defines adequate security as security commensurate with\nthe risk and magnitude of harm resulting from the loss, misuse, or modification of or\nunauthorized access to information. This includes assuring that agency systems and\napplications provide appropriate confidentiality, integrity, and availability through the\nuse of cost-effective management, personnel, operational, and technical controls. The\nconcept of adequate security is consistent with FISMA, which directs agency heads to\nprovide information security protections commensurate with the risk and magnitude of\nharm resulting from the unauthorized access to, use, disclosure, disruption, modification,\nor destruction of information and information systems.\n\nGovernment oversight agencies, such as GAO and OMB, and recognized\nstandards-setting organizations such as NIST have identified fundamental management\nprinciples and controls needed to implement an effective information security program.56\nThe controls were defined with the publication of FIPS PUB 200 and SP 800-53, and an\nassessment methodology was outlined in a draft assessment guide in SP 800-53A.\nSP 800-53 defines a minimum set of security controls for the non-national security\nsystems of all federal agencies. These security controls are selected based on the\npotential impact that could occur to the agency should there be a loss of confidentiality,\n54\n   On December 21, 2004, OMB revised the circular, which became effective in fiscal year 2006, to strengthen\n   requirements for conducting management\xe2\x80\x99s assessment of internal control over financial reporting and to\n   emphasize the need for agencies to integrate and coordinate internal control assessments with other\n   internal-control-related activities. The circular implements the FMFIA. This Act is applicable to the FDIC\n   because of provisions in the Chief Financial Officers Act of 1990 regarding annual reporting by government\n   corporations on their internal accounting and administrative control systems. The FDIC has determined that\n   as long as it develops internal controls that are consistent with the goals of FMFIA, the FDIC will have met\n   its legal obligations under the circular.\n55\n   OMB A-130, Appendix III, establishes minimum controls for federal automated information security\n   programs. The FDIC has determined that portions of the circular apply to the FDIC, while other portions do\n   not apply. The FDIC has also determined that OMB A-130, Appendix III, requires the FDIC to implement\n   and maintain an information security program consistent with government-wide policies, standards, and\n   procedures issued by OMB and the Department of Commerce.\n56\n   GAO Executive Guide, Information Security Management: Learning From Leading Organizations; OMB\n   A-130, Appendix III; SP 800-14; SP 800-12; and SP 800-53.\n\n\n\n                                                       35\n\x0c                                                                                       APPENDIX I\n\nintegrity, or availability of the information or information system. The publication\ndefines 17 management, operational, and technical security control families that are\nintegral to securing any federal information system.\n\nIn addition to the SP 800-53 controls for securing systems, draft SP 800-100 describes\nother controls for agency-wide management of a security program. Based on our analysis\nof draft SP 800-100 and considering the FDIC\xe2\x80\x99s business and IT environment, we\nidentified three additional security program control families, Information Security\nGovernance, Enterprise Architecture, and Capital Planning. Table 3 lists the security\ncontrol classes and related security control families.\n\nTable 3: Security Control Classes and Families\n  Security Control Class                              Security Control Family\nProgram                              Information Security Governance\n                                     Enterprise Architecture\n                                     Capital Planning\nManagement                           Risk Assessment\n                                     Planning\n                                     System and Services Acquisition\n                                     Certification, Accreditation, and Security Assessments\nOperational                          Personnel Security\n                                     Physical and Environmental Protection\n                                     Contingency Planning\n                                     Configuration Management\n                                     Maintenance*\n                                     System and Information Integrity\n                                     Media Protection*\n                                     Incident Response\n                                     Awareness and Training\nTechnical                            Identification and Authentication\n                                     Access Control\n                                     Audit and Accountability*\n                                     System and Communications Protection\nSource: OIG analysis of NIST guidance.\n*This control family was not included in prior OIG FISMA evaluations of the FDIC\xe2\x80\x99s information security\nprogram.\n\n\n\n\n                                                   36\n\x0c                                                                               APPENDIX I\n\nWe assigned one of three assurance levels (reasonable assurance, limited assurance, and\nminimal/no assurance) when assessing the effectiveness of the information security\nprogram. We used OMB guidance to develop definitions for reasonable, limited, and\nminimal assurance (see Table 4).\n\nTable 4: Information Security Program Assurance Levels\n                   Indicates that the Corporation has established or implemented controls\n                   that were sufficient to provide reasonable, but not absolute, assurance of\n                   achieving adequate security over its information resources.\n Reasonable        Designations of reasonable assurance indicate that the FDIC has\n Assurance         designed or implemented controls to ensure compliance with applicable\n                   statutory or regulatory requirements and that such controls maintained\n                   appropriate confidentiality, integrity, and availability of information\n                   resources.\n                   Indicates that the Corporation has established controls that were\n                   partially complete or has implemented controls that were not always\n                   effective or operating as intended. Designations of limited assurance\n   Limited         indicate that the FDIC was in partial compliance with applicable\n  Assurance        statutory or regulatory requirements and that control weaknesses existed\n                   in the confidentiality, integrity, or availability of information resources.\n                   Although mitigating controls may exist, control weaknesses may\n                   impede the FDIC's ability to achieve its security goals and objectives.\n                   Indicates that the Corporation has established few or no controls to\n                   provide assurance of adequate security or that existing controls were not\n                   operating as intended. Designations of minimal/no assurance indicate\n                   significant noncompliance with applicable statutory or regulatory\n Minimal/No        requirements and serious control weaknesses relating to the\n Assurance         confidentiality, integrity, or availability of information resources.\n                   Because mitigating controls were minimal or not present, the\n                   achievement of corporate security goals and objectives was impaired.\n                   Minimal/no assurance is indicative of weaknesses that merit the\n                   attention of the FDIC Chairman and Board of Directors.\nSource: OIG analysis of OMB guidance.\n\nThe OIG changed its methodology from prior years to better conform to the emerging\nstandards and guidance. Our current FISMA evaluation framework consists of assessing\nthe program control class on an agency-wide basis and assessing management,\noperational, and technical control classes on a sample of systems. The assessment of\ncontrol families is based on testing a sample of the controls that make up the family. We\nselected systems, control families, and individual controls for testing based on how\nimportant the system is to the FDIC, the control family is to the system, and the control is\nto the control family. We considered risk, costs, results of internal and external reviews,\ngovernment-wide and FDIC initiatives and goals, the maturity of the security program,\nand other factors in selecting our samples. For fiscal year 2006, we sampled two general\nsupport systems\xe2\x80\x94the mainframe and LAN/WAN. Appendix II identifies the security\ncontrol families for which we performed limited testing of system-level controls.\n\n\n                                              37\n\x0c                                                                                                 APPENDIX I\n\nIn previous years, based on our analysis of long-standing requirements found in\nsecurity-related statutes, policies, and guidance and considering the FDIC\xe2\x80\x99s business and\nIT environment, we identified 10 key management control areas associated with the\nFDIC\xe2\x80\x99s information security program. For each of the 10 management control areas, we\nprovided an assessment in terms of the level of assurance that the management control\nprovided adequate security over the FDIC's information resources. Using each of the 10\nmanagement control assessments as a basis and considering associated risk, we then\nassessed the Corporation\xe2\x80\x99s overall information security program and compared it to\nprevious security evaluation results. In this manner, we were able to evaluate the FDIC\xe2\x80\x99s\nprogress in strengthening its information security program and practices. However, we\nwere unable to make a meaningful comparison of results from the prior and current\nannual evaluations due to differences in the nature and extent of control testing\nperformed.\n\nLaws and Regulations\n\nWe evaluated the FDIC's compliance with FISMA57 and information-security-related\nlaws, policies, procedures, standards, and guidelines (or provisions thereof) that had a\ndirect and material impact on the FDIC's information security program and practices.\nOur evaluation focused primarily on FISMA and OMB A-130, Appendix III,58 as criteria\nfor the major elements of an effective information security program. Our evaluation also\nplaced particular reliance on a number of statutes, policies, and guidance; including but\nnot limited to:\n\n     \xe2\x80\xa2   The E-Government Act of 200259\n     \xe2\x80\xa2   FMFIA60\n     \xe2\x80\xa2   The Clinger-Cohen Act of 199661\n     \xe2\x80\xa2   The Government Performance and Results Act of 199362\n\n\n\n57\n   FISMA, codified in pertinent part to titles 40 and 44, United States Code (U.S.C.), is similar to Title X of the\n   Homeland Security Act of 2002 (Pub. L. No. 107-269), which also bears the name Federal Information\n   Security Management Act of 2002. In signing the E-Government Act of 2002 into law, the President stated\n   that the executive branch will construe the E-Government Act of 2002 as permanently superseding the\n   Homeland Security Act of 2002 in those instances where both Acts prescribe different amendments to the\n   same provisions of the U.S.C. Also, see 44 U.S.C. \xc2\xa7 3549 regarding the effect of the E-Government Act on\n   existing law.\n58\n   The FDIC has determined that portions of the Circular apply to the FDIC.\n59\n   The FDIC had determined that this statute, Title III of which contains FISMA, is legally binding on the\n   FDIC.\n60\n   The FDIC has determined that portions of the FMFIA are applicable to the FDIC by reference in the Chief\n   Financial Officers Act. In general, the goals of FMFIA are that agency obligations and costs comply with\n   applicable law; assets are guarded against waste, loss, etc.; and revenue and expenditures are properly\n   accounted for, so that reliable financial statements can be prepared.\n61\n   The FDIC has determined that the Clinger-Cohen Act does not apply to the FDIC. The Clinger-Cohen Act\n   imposes obligations and responsibilities on \xe2\x80\x9cexecutive agencies\xe2\x80\x9d as defined in the Office of Federal\n   Procurement Policy Act, which does not include the FDIC. However, the FDIC has indicated that it intends\n   to follow the spirit of the Act.\n\n\n\n                                                         38\n\x0c                                                                                              APPENDIX I\n\n\n     \xe2\x80\xa2   The Chief Financial Officers Act of 199063\n     \xe2\x80\xa2   The Privacy Act of 197464\n     \xe2\x80\xa2   5 Code of Federal Regulations Part 930, Subpart C, Information Security\n         Responsibilities for Employees Who Manage or Use Federal Information\n         Systems65\n     \xe2\x80\xa2   HSPD\xe2\x80\x937, Critical Infrastructure Identification, Prioritization, and Protection66\n     \xe2\x80\xa2   HSPD-12, Policy for a Common Identification Standard for Federal Employees\n         and Contractors67\n     \xe2\x80\xa2   OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget68\n     \xe2\x80\xa2   OMB Circular No. A-123, Management Responsibility for Internal Control69\n     \xe2\x80\xa2   The following OMB security-related memoranda:\n         \xe2\x80\xa2 M-00-07, Incorporating and Funding Security in Information Systems\n             Investments70\n         \xe2\x80\xa2 M-02-01, Guidance for Preparing and Submitting Security Plans of Action\n             and Milestones71\n         \xe2\x80\xa2 M-03-22, OMB Guidance for Implementing the Privacy Provision of the\n             E-Government Act of 200272\n         \xe2\x80\xa2 M-06-15, Safeguarding Personally Identifying Information73\n         \xe2\x80\xa2 M-06-16, Protection of Sensitive Agency Information74\n         \xe2\x80\xa2 M-06-19, Reporting Incidents Involving Personally Identifiable Information\n             and Incorporating the Cost for Security in Agency Information Technology\n             Investments75\n\n62\n   The Act requires most federal agencies, including the FDIC, to develop a strategic plan that broadly defines\n   the agency's mission and vision, an annual performance plan that translates the vision and goals of the\n   strategic plan into measurable objectives, and an annual performance report that compares actual results\n   against planned goals.\n63\n   The FDIC has determined that the portions of this Act that are applicable to government corporations are also\n   applicable to the FDIC.\n64\n   The Act, which is applicable to the FDIC, requires agencies to have appropriate administrative, technical and\n   physical safeguards over the security and confidentiality of agency records\n65\n   The FDIC has determined that this provision applies to the FDIC.\n66\n   The FDIC has determined that HSPD-7 applies to the Corporation.\n67\n   According to OMB guidance for implementing HSPD-12, government corporations are encouraged to\n   comply with the directive. The FDIC is voluntarily complying with this directive.\n68\n   This circular governs the federal budgeting process and contains requirements for identifying and tracking\n   various agency costs. The FDIC prepares budgetary data for OMB\xe2\x80\x99s review but not approval.\n69\n   The FDIC has determined that this circular is applicable to the FDIC; specifically, as long as the FDIC\xe2\x80\x99s\n   internal controls are consistent with the goals of the FMFIA, the FDIC will have met its obligations under\n   this circular.\n70\n   The FDIC determined that this memorandum, which implements OMB Circular Nos. A-130 and A-11, was\n   not applicable to the FDIC.\n71\n   The FDIC is reviewing this memorandum to determine its applicability to the FDIC.\n72\n   This memorandum implements section 208 of the E-Government Act, which applies to the FDIC.\n73\n   The applicability of this memorandum has not been determined; however, the FDIC has taken steps to\n   implement it.\n74\n   The applicability of this memorandum, which deals with protecting information remotely accessed, has not\n   been determined, but the FDIC has taken steps to implement it.\n\n\n\n                                                       39\n\x0c                                                                                               APPENDIX I\n\n\n         \xe2\x80\xa2   M-06-20, FY 2006 Reporting Instructions for the Federal Information\n             Security Management Act and Agency Privacy Management\n     \xe2\x80\xa2   NIST FIPS PUB 199, Standards for Security Categorization of Federal\n         Information and Information Systems76\n     \xe2\x80\xa2   NIST FIPS PUB 200, Minimum Security Requirements for Federal Information\n         and Information Systems.77\n     \xe2\x80\xa2   NIST FIPS PUB 201, Personal Identity Verification (PIV) of Federal Employees\n         and Contractors78\n     \xe2\x80\xa2   FDIC policies and procedures related to information security\n     \xe2\x80\xa2   GAO's Federal Information System Controls Audit Manual79\n     \xe2\x80\xa2   The following NIST Special Publications:80\n         \xe2\x80\xa2 800-12, An Introduction to Computer Security: The NIST Handbook\n         \xe2\x80\xa2 800-18, Guide for Developing Security Plans for Information Technology\n             Systems\n         \xe2\x80\xa2 800-30, Risk Management Guide for Information Technology Systems\n         \xe2\x80\xa2 800-34, Contingency Planning Guide for Information Technology Systems\n         \xe2\x80\xa2 800-37, Guide for the Security Certification and Accreditation of Federal\n             Information Systems\n         \xe2\x80\xa2 800-40, Procedures for Handling Security Patches\n         \xe2\x80\xa2 800-47, Security Guide for Interconnecting Information Technology Systems\n         \xe2\x80\xa2 800-50, Building an Information Technology Security Awareness and\n             Training Program\n         \xe2\x80\xa2 800-53, Recommended Security Controls for Federal Information Systems\n         \xe2\x80\xa2 800-55, Security Metrics Guide for Information Technology Systems\n         \xe2\x80\xa2 800-60, Guide for Mapping Types of Information and Information Systems to\n             Security Categories\n         \xe2\x80\xa2 800-61, Computer Security Incident Handling Guide\n         \xe2\x80\xa2 800-64, Security Considerations in the Information System Development Life\n             Cycle\n         \xe2\x80\xa2 800-65, Integrating Security into the Capital Planning and Investment Control\n             Process\n\n\n\n75\n   This memorandum requires agencies to report computer incidents to a central federal incident-reporting\n   center. Although legal applicability has not been determined, the FDIC has taken steps to implement this\n   memorandum.\n76\n   Because the FDIC is not an executive agency for purposes of the publication, this publication is not legally\n   applicable to the FDIC, but the FDIC follows its principles.\n77\n   The applicability of this publication has not been determined, but the FDIC intends to voluntarily comply\n   with it.\n78\n   The FDIC is voluntarily complying with FIPS PUB 201.\n79\n   The manual provides guidance for reviewing information system controls that affect the integrity,\n   confidentiality, and availability of computerized data.\n80\n   In general, these NIST SPs are, by their own terms, guidelines (rather than mandatory requirements) for\n   agencies in implementing their IT operations. However, the current applicability of SP 800-53 to the FDIC\n   has not been determined.\n\n\n\n                                                       40\n\x0c                                                                           APPENDIX I\n\n\nComputer-based Data, Performance Measures, and Fraud and Illegal Acts\n\nWe performed appropriate procedures to assure ourselves that computer-based data were\nvalid and reliable when those data were significant to our evaluation findings and\nconclusions. Such procedures included verifying selected automated data to source\ndocumentation and corroborating automated data through interviews with appropriate\nFDIC personnel. In addition, we evaluated the adequacy and effectiveness of the FDIC's\nperformance measures related to information security. Finally, we did not develop\nspecific audit procedures to detect fraud and illegal acts because we did not consider\nfraud and illegal acts to be material to the evaluation objective. However, throughout our\nevaluation, we were sensitive to the potential for fraud, waste, abuse, and\nmismanagement.\n\n\n\n\n                                            41\n\x0c                                                                                APPENDIX II\n\n                            NIST SP 800-53 CONTROLS TESTED\n\nThis appendix lists the recommended security controls for federal information systems from\nNIST SP 800-53 published in February 2005. We performed limited testing on a sample of\ncontrols identified in the Sample of Controls Tested column. We limited our tests based on the\nrisk and feasibility within the FDIC\xe2\x80\x99s common control, mainframe, and LAN/WAN\nenvironments. We also tested program controls.\n\n\n                            NIST SP 800-53 Control                                 Sample of\n     Family           No.                            Name                          Controls\n                                                                                    Tested\n                                   Management Control Class\nRisk Assessment     RA-1       Risk Assessment Policy and Procedures                   X\n(RA)                RA-2       Security Categorization                                 X\n                    RA-3       Risk Assessment                                         X\n                    RA-4       Risk Assessment Update                                  X\n                    RA-5       Vulnerability Scanning                                  X\nPlanning            PL-1       Security Planning Policy and Procedures                 X\n(PL)                PL-2       System Security Plan\n                    PL-3       System Security Plan Update\n                    PL-4       Rules of Behavior                                      X\n                    PL-5       Privacy Impact Assessment                              X\nSystem and          SA-1       System and Services Acquisition Policy and             X*\nServices                       Procedures\nAcquisition         SA-2       Allocation of Resources\n(SA)*               SA-3       Life Cycle Support\n                    SA-4       Acquisitions\n                    SA-5       Information System Documentation\n                    SA-6       Software Usage Restrictions                            X*\n                    SA-7       User Installed Software                                X*\n                    SA-8       Security Design Principles\n                    SA-9       Outsourced Information System Services\n                    SA-10      Developer Configuration Management\n                    SA-11      Developer Security Testing\nCertification,      CA-1       Certification, Accreditation, and Security              X\nAccreditation,                 Assessment Policies and Procedures\nand Security        CA-2       Security Assessments                                    X\nAssessments (CA)    CA-3       Information System Connections                          X\n                    CA-4       Security Certification                                  X\n                    CA-5       Plan of Action and Milestones                           X\n                    CA-6       Security Accreditation                                  X\n                    CA-7       Continuous Monitoring\n\n\n\n\n                                                42\n\x0c                                                                                APPENDIX II\n\n                            NIST SP 800-53 Control                                Sample of\n     Family           No.                            Name                         Controls\n                                                                                   Tested\n                                    Operational Control Class\nAwareness and       AT-1       Security Awareness and Training Policy and            X\nTraining                       Procedures\n(AT)                AT-2       Security Awareness                                    X\n                    AT-3       Security Training                                     X\n                    AT-4       Security Training Records\nConfiguration       CM-1       Configuration Management Policy and Procedures        X\nManagement          CM-2       Baseline Configuration                                X\n(CM)                CM-3       Configuration Change Control                          X\n                    CM-4       Monitoring Configuration Changes                      X\n                    CM-5       Access Restrictions for Change                        X\n                    CM-6       Configuration Settings                                X\n                    CM-7       Least Functionality                                   X\nContingency         CP-1       Contingency Planning Policy and Procedures            X\nPlanning            CP-2       Contingency Plan                                      X\n(CP)                CP-3       Contingency Training                                  X\n                    CP-4       Contingency Plan Testing                              X\n                    CP-5       Contingency Plan Update                               X\n                    CP-6       Alternate Storage Sites                               X\n                    CP-7       Alternate Processing Sites                            X\n                    CP-8       Telecommunications Services                           X\n                    CP-9       Information System Backup                             X\n                    CP-10      Information System Recovery and Reconstitution        X\nIncident Response   IR-1       Incident Response Policy and Procedures               X\n(IR)                IR-2       Incident Response Training                            X\n                    IR-3       Incident Response Testing\n                    IR-4       Incident Handling                                     X\n                    IR-5       Incident Monitoring                                   X\n                    IR-6       Incident Reporting                                    X\n                    IR-7       Incident Response Assistance                          X\nMaintenance         MA-1       System Maintenance Policy and Procedures              X\n(MA)                MA-2       Periodic Maintenance                                  X\n                    MA-3       Maintenance Tools\n                    MA-4       Remote Maintenance\n                    MA-5       Maintenance Personnel\n                    MA-6       Timely Maintenance\nMedia Protection    MP-1       Media Protection Policy and Procedures                X\n(MP)                MP-2       Media Access                                          X\n                    MP-3       Media Labeling\n                    MP-4       Media Storage                                         X\n                    MP-5       Media Transport                                       X\n                    MP-6       Media Sanitization                                    X\n                    MP-7       Media Destruction and Disposal\n\n\n\n                                               43\n\x0c                                                                               APPENDIX II\n\n                         NIST SP 800-53 Control                                  Sample of\n      Family       No.                            Name                           Controls\n                                                                                  Tested\nPhysical and     PE-1       Physical and Environmental Protection Policy and        X\nEnvironmental               Procedures\nProtection       PE-2       Physical Access Authorizations                          X\n(PE)             PE-3       Physical Access Control                                 X\n                 PE-4       Access Control for Transmission Medium\n                 PE-5       Access Control for Display Medium\n                 PE-6       Monitoring Physical Access                              X\n                 PE-7       Visitor Control                                         X\n                 PE-8       Access Logs                                             X\n                 PE-9       Power Equipment and Power Cabling                       X\n                 PE-10      Emergency Shutoff                                       X\n                 PE-11      Emergency Power                                         X\n                 PE-12      Emergency Lighting                                      X\n                 PE-13      Fire Protection                                         X\n                 PE-14      Temperature and Humidity Controls                       X\n                 PE-15      Water Damage Protection                                 X\n                 PE-16      Delivery and Removal\n                 PE-17      Alternate Work Site                                     X\nPersonnel        PS-1       Personnel Security Policy and Procedures                X\nSecurity         PS-2       Position Categorization                                 X\n(PS)             PS-3       Personnel Screening                                     X\n                 PS-4       Personnel Termination                                   X\n                 PS-5       Personnel Transfer                                      X\n                 PS-6       Access Agreements                                       X\n                 PS-7       Third-Party Personnel Security                          X\n                 PS-8       Personnel Sanctions\nSystem and       SI-1       System and Information Integrity Policy and             X\nInformation                 Procedures\nIntegrity (SI)   SI-2       Flaw Remediation                                        X\n                 SI-3       Malicious Code Protection                               X\n                 SI-4       Intrusion Detection Tools and Techniques                X\n                 SI-5       Security Alerts and Advisories                          X\n                 SI-6       Security Functionality Verification\n                 SI-7       Software and Information Integrity\n                 SI-8       Spam and Spyware Protection                             X\n                 SI-9       Information Input Restrictions\n                 SI-10      Information Input Accuracy, Completeness, and\n                            Validity\n                 SI-11      Error Handling\n                 SI-12      Information Output Handling and Retention\n\n\n\n\n                                             44\n\x0c                                                                                 APPENDIX II\n\n                             NIST SP 800-53 Control                                Sample of\n     Family            No.                            Name                         Controls\n                                                                                    Tested\n                                      Technical Control Class\nIdentification and   IA-1       Identification and Authentication Policy and          X\nAuthentication                  Procedures\n(IA)                 IA-2       User Identification and Authentication                X\n                     IA-3       Device Identification and Authentication\n                     IA-4       Identifier Management                                 X\n                     IA-5       Authenticator Management                              X\n                     IA-6       Authenticator Feedback                                X\n                     IA-7       Cryptographic Module Authentication\nAccess Control       AC-1       Access Control Policy and Procedures                  X\n(AC)                 AC-2       Account Management                                    X\n                     AC-3       Access Enforcement                                    X\n                     AC-4       Information Flow Enforcement\n                     AC-5       Separation of Duties\n                     AC-6       Least Privilege                                       X\n                     AC-7       Unsuccessful Login Attempts                           X\n                     AC-8       System Use Notification                               X\n                     AC-9       Previous Logon Notification\n                     AC-10      Concurrent Session Control\n                     AC-11      Session Lock                                          X\n                     AC-12      Session Termination                                   X\n                     AC-13      Supervision and Review \xe2\x80\x93 Access Control\n                     AC-14      Permitted Actions w/o Identification or               X\n                                Authentication\n                     AC-15      Automated Marking\n                     AC-16      Automated Labeling\n                     AC-17      Remote Access                                         X\n                     AC-18      Wireless Access Restrictions\n                     AC-19      Access Control for Portable and Mobile Systems\n                     AC-20      Personally Owned Information Systems\nAudit and            AU-1       Audit and Accountability Policy and Procedures        X\nAccountability       AU-2       Auditable Events                                      X\n(AU)                 AU-3       Content of Audit Records                              X\n                     AU-4       Audit Storage Capacity                                X\n                     AU-5       Audit Processing                                      X\n                     AU-6       Audit Monitoring, Analysis, and Reporting             X\n                     AU-7       Audit Reduction and Report Generation\n                     AU-8       Time Stamps                                           X\n                     AU-9       Protection of Audit Information                       X\n                     AU-10      Non-repudiation\n                     AU-11      Audit Retention                                       X\n\n\n\n\n                                                 45\n\x0c                                                                                              APPENDIX II\n\n                                NIST SP 800-53 Control                                            Sample of\n      Family              No.                                Name                                 Controls\n                                                                                                   Tested\nSystem and              SC-1        System and Communications Protection Policy and                  X*\nCommunications                      Procedures\nProtection              SC-2        Application Partitioning\n(SC)*                   SC-3        Security Function Isolation\n                        SC-4        Information Remnants\n                        SC-5        Denial of Service Protection\n                        SC-6        Resource Priority\n                        SC-7        Boundary Protection\n                        SC-8        Transmission Integrity\n                        SC-9        Transmission Confidentiality                                      X*\n                        SC-10       Network Disconnect\n                        SC-11       Trusted Path\n                        SC-12       Cryptographic Key Establishment and Management\n                        SC-13       Use of Validated Cryptography\n                        SC-14       Public Access Protections\n                        SC-15       Collaborative Computing\n                        SC-16       Transmission of Security Parameters\n                        SC-17       Public Key Infrastructure Certificates\n                        SC-18       Mobile Code\n                        SC-19       Voice Over Internet Protocol\nSource: KPMG and OIG compilation of controls tested.\n*These control families and controls were included in our survey work; however, the scope of our work was not\nsufficient for us to provide an assessment of the control family.\n\n\n\n\n                                                       46\n\x0c                                                          APPENDIX III\n\n\n                       ACRONYMS\n\n       Acronym                          Definition\nAPM              Acquisition Policy Manual\nBCP              Business Continuity Plan\nBIA              Business Impact Analysis\nC&A              Certification and Accreditation\nCFO              Chief Financial Officer\nCIO              Chief Information Officer\nCIRC             Capital Investment Review Committee\n                 Control Objectives for Information and related\nCOBIT\xc2\xae           Technology\nCOO              Chief Operating Officer\nCPIM             Capital Planning and Investment Management\nDIRM             Division of Information Resources Management\nDIT              Division of Information Technology\nDOA              Division of Administration\nDOF              Division of Finance\nEA               Enterprise Architecture\nFIPS PUB         Federal Information Processing Standards Publication\nFISMA            Federal Information Security Management Act\nFMFIA            Federal Managers Financial Integrity Act\nGAGAS            Generally Accepted Government Auditing Standards\nGAO              Government Accountability Office\nHSPD             Homeland Security Presidential Directive\nIATO             Interim Authorization to Operate\nIBM              International Business Machines\nID               Identification\nIDS              Intrusion Detection System\nIG               Inspector General\nISM              Information Security Manager\nISS              Information Security Staff\nIT               Information Technology\nKPMG             KPMG LLP\nLAN/WAN          Local Area Network/Wide Area Network\nNIST             National Institute of Standards and Technology\nOIG              Office of Inspector General\nOMB              Office of Management and Budget\n\n\n\n                             47\n\x0c                                                  APPENDIX III\n\n\n     Acronym                         Definition\nPIA            Privacy Impact Assessment\nPIV            Personal Identity Verification\nPOA&M          Plan of Action and Milestones\nRUP\xc2\xae           Rational Unified Process\xc2\xae\nSDLC           System Development Life Cycle\nSP             Special Publication\nST&E           Security Testing and Evaluation\nU.S.C.         United States Code\n\n\n\n\n                           48\n\x0c                                                                            APPENDIX IV\n\n\n                           GLOSSARY OF TERMS\n\n              Term                                        Definition\nAccess Controls            The ability to ensure that system resources can be accessed only by\n                           authorized users in authorized ways.\nAdequate Security          Security commensurate with the risk and magnitude of the harm\n                           resulting from the loss, misuse, or unauthorized access to or\n                           modification of information.\nAudit Trail                An audit trail is a series of records of computer-related events about\n                           an operating system, an application, or user activities. An\n                           information system may have several audit trails, each devoted to a\n                           particular type of activity. The terms audit trail and audit log are used\n                           synonymously in this report.\nAuditable Event            An event is any action that happens on a computer system. Examples\n                           include logging into a system, executing a program, and opening a\n                           file.\nBiometrics                 One of various technologies that utilize behavioral or physiological\n                           characteristics to determine or verify identity. For example, a\n                           fingerprint scan is a commonly-used biometric.\nFirmware                   The programs and data components of a cryptographic module that\n                           are stored in hardware within the cryptographic boundary and cannot\n                           be dynamically written or modified during execution.\nHotfixes                   A hotfix is a single, cumulative package that includes one or more\n                           files that are used to address a problem in a product. Hotfixes address\n                           a specific customer situation and may not be distributed outside the\n                           customer organization.\nLeast Privilege            Refers to the practice of restricting a user\xe2\x80\x99s access to only those\n                           resources needed to perform official duties.\nLog                        A log is a record of the events occurring within an organization\xe2\x80\x99s\n                           systems and networks. Logs are composed of entries that contain\n                           information related to a specific event that occurred within a system\n                           or network.\nMainframe Dataset          The term dataset is used to refer to files on an IBM mainframe\n                           computer, typically stored on a direct-access storage device or\n                           magnetic tape. The term pertains to IBM mainframe operating\n                           systems.\nNational Institute of      A non-regulatory federal agency within the Department of\nStandards and Technology   Commerce\xe2\x80\x99s Technology Administration. As part of its\n(NIST)                     responsibilities, NIST develops and publishes technical, physical,\n                           administrative, and management standards and guidelines for the\n                           cost-effective security and privacy of sensitive, but unclassified,\n                           information in federal computer systems.\nObject Code                Software program instructions compiled (translated) from source\n                           code into machine-readable formats.\nRouters and Switches       A router is a computer networking device that forwards data packets\n                           toward their destinations through a process known as routing. A\n                           network switch is a computer networking device that connects\n                           network segments.\nSource Code                A set of programming language instructions that must be translated to\n                           machine instructions before the program can run.\n\n                                          49\n\x0c                                                                  APPENDIX IV\n\n\n           Term                                 Definition\nTest Scripts      Test scripts constitute those series of actions, keystrokes, tabs, mouse\n                  clicks, etc. used to navigate through a single screen or a series of\n                  screens in an application.\n\n\n\n\n                                 50\n\x0c"